Ask / Submit
183

Do we get a fix for glibc security issues?

asked 2016-02-17 14:14:15 +0300

lpr gravatar image

updated 2017-07-31 20:30:39 +0300

CVE-2014-9761
=MER#1633

As hackers are working on real exploits this is very urgent. SFOS seems¹ to use ASLR (which prevents the most simple exploits), but what occurrence does it use: the weak form of kernel 2.6.12 or Position-independent executable (PIE) which is stronger but weak in low memory conditions :-( ? ASLR is not perfect: Here is an interesting article about ASLR on ARMv7 devices [Stagefright is not fixed btw and could harm a JollaPhone].
Possible workarounds without patching are not suitable!

• ( CVE-2015-7547 (the one and only glibc related issue fix released in final Taalojärvi))
• (CVE-2015-8777 fix released in Haapajoki)
• (CVE-2015-8776: fix released in Haapajoki)
• (CVE-2015-8778: fix released in Haapajoki)
• CVE-2014-9761: A stack overflow (unbounded alloca) could have caused applications which process long strings with the nan function to crash or, potentially, execute arbitrary code. (Accessvector:NETWORK/REMOTE CVSS v3 Base Score:9.8/10 critical)
• (CVE-2015-8779: fix released in Haapajoki)
• (CVE-2015-1781: fix released in Haapajoki)
• (CVE-2014-8121: fix released in Haapajoki)

(from SUSE:SLE-12-SP1 patch of glibc 2.19 from 20160217)

• Do not copy d_name field of struct dirent. (CVE-2016-1234) (Fix released in Jämsänjoki)
• Do not use alloca in clntudp_call. (CVE-2016-4429) (Fix released in Jämsänjoki)
(from SUSE:SLE-12-SP1 patch of glibc 2.19 from 20160711)

additionally:
• (CVE-2015-5277: fix released in Haapajoki)
• (CVE-2016-3075 fix released in Haapajoki)
• (CVE-2016-2856: fix released in Haapajoki)

These vulnerabilities (but not cve-2014-9761) are fixed in glibc-2.19-0ubuntu6.9 and -0ubuntu6.13, version -0ubuntu6.8 with debian/patches/any/CVE-2014-9761-2.diff provides inconvenient fix adding an additional symbol to symbol-table (requires manual restart of server services after patching)

¹cat /proc/sys/kernel/randomize_va_space returns 2 and repeated ldd <some-executable> is returning different addresses of linked libraries.

edit retag flag offensive close delete

Comments

9

Thank you, great post. Just wanted to open it ;) .... second :-D

megalith ( 2016-02-17 15:56:14 +0300 )edit
1

+1 and more characters

jollailija ( 2016-02-17 17:35:41 +0300 )edit
4

its glibc, they will have to rebuild/test the world. I would expect that they will push back the Taalojarvi release for it though.

r0kk3rz ( 2016-02-17 17:51:00 +0300 )edit
13

@r0kk3rz no, they haven't to rebuild a lot. It affects glibc alone with its system functions, notably getaddrinfo() and strftime() used by almost all other applications

lpr ( 2016-02-17 18:36:15 +0300 )edit
11

Why is Jolla not able to patch on day zero?

lpr ( 2016-02-18 19:03:01 +0300 )edit

2 Answers

Sort by » oldest newest most voted
8

answered 2016-03-30 17:53:54 +0300

schmittlauch gravatar image

updated 2016-03-31 23:35:45 +0300

I added this issue to the topics for community meetings, maybe it'll be discussed on Thurs Mar-31 2016 @ 14:30 UTC in #mer-meeting (IRC) so if you're interested please show up there.

Edit: The relevant part of the meeting:

  • So 2.0.1 releasing is pending on the incoming call silence issue. (veskuh, 15:23:12)
  • the plan has been to release the hotfixes along with 2.0.1, but if that is still too far we should reconsider doing it as a separate hotfix as is now the proposal (veskuh, 15:24:23)
  • Jolla don't have definition of what makes issue critical, but we do have process for hotfix releases (stephg, 15:31:38)

So let's expect that hotfix.

edit flag offensive delete publish link more

Comments

2

This is probably the best answer the community can provide, but doesn't answer to the question even with an ETA. Anyway, thanks to @veskuh and btw, you're welcome to answer on TJC too ;)

reviewjolla ( 2016-03-31 23:52:15 +0300 )edit
6

answered 2016-04-24 16:02:49 +0300

lpr gravatar image

updated 2017-07-31 20:39:23 +0300

It seems we will not see a single package update for glibc in Taalojärvi and Saimaa.
Jolla claims to have solved the issues with version 2.0.1 so there will be a new early access release of Taalojärvi.
I suppose Saimaa users have to keep waiting until final release...
edit 20160428: 2.0.1.11 fixes cve-2015-7547, 12 remaining...
edit 20170515: cve-2016-1234 and cve-2016-4429 fixed in glibc-2.19ubuntu6.11 so please implement it as soon as possible...

edit 20170629: glibc-2.19-0ubuntu6.13 additionally handles CVE-2017-1000366 (Stack Clash) so this should be implemented asap... (MER#1789)
edit 20170731: glibc-2.19-0ubutu6.13 part of Jämsänjoki update, leaving only cve-2014-9761 and cve-2015-5180 ...

edit flag offensive delete publish link more

Comments

8

Yes, 2.0.1.11 is rolling out today to early access and includes glibc update.

veskuh ( 2016-04-28 15:00:46 +0300 )edit

@veskuh@xfade quick update to glibc-2.19+6.8 is needed! [not glibc-2.19+6.9 because 6.9 unfixes cve-2014-9761]

lpr ( 2016-06-25 15:54:13 +0300 )edit
3

new release 2.0.2.48 without an update? come on guys, really? @veskuh@xfade@tigeli

lpr ( 2016-07-28 16:25:05 +0300 )edit

@veskuh@xfade@tigeli please revert debian/patches/any/CVE-2014-9761-2.diff in SFOS-source (as mer-project refuses this request due to servers) and release it in final Fiskarsinjoki. Phones have different needs than servers...

lpr ( 2016-10-18 18:58:56 +0300 )edit
Login/Signup to Answer

Question tools

Follow
22 followers

Stats

Asked: 2016-02-17 14:14:15 +0300

Seen: 9,136 times

Last updated: Jul 31