Ubuntu CVE Tracker

USN DB showing locales binary package published by eglibc/libc6

Bug #1858641 reported by Pedro Principeza
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu CVE Tracker
New
Undecided
Leonidas S. Barbosa

Bug Description

[Description]

Querying the USN DB [1], one may find the information that libc6 seems to provide a locales package (2.19-0ubuntu6.15+esm1, under "allbinaries").

However, libc6/eglibc packages do not provide locales in either Trusty or Precise, so the entry in the USN DB is actually inconsistent.

As follows:

{
"description": "Jakub Wilk discovered that GNU C Library incorrectly handled certain memory alignments.\nAn attacker could possibly use this issue to execute arbitrary code
or cause\na crash.\n",
"releases": {
[...]
"trusty": {
"allbinaries": {
"libc6-dev-powerpc": {
"version": "2.19-0ubuntu6.15+esm1"
},
[...]
"locales": {
"version": "2.19-0ubuntu6.15+esm1"
},
[...]
},
"title": "GNU C Library vulnerability",
"timestamp": 1575985772.819008,
"summary": "eglibc vulnerability",
"action": "After a standard system update you need to reboot your computer to make\nall the necessary changes.\n",
"isummary": "GNU C Library could be made to execute arbitrary code or cause a crash\nif it received a specially crafted input.\n",
"id": "4218-1",
"cves": [
"CVE-2018-6485"
]
}

As this inconsistency is only seen in the USN DB, this might very well be a generic parsing issue, that may affect not only libc6, but other packages as well.

[Reproduction]
N/A.

[Impact]
Misleading entries in the USN DB, leading to think binary packages are available at a certain version, when they're not.

Let me know if further info is needed to proceed. Thanks!

[1] https://usn.ubuntu.com/usn-db/database-all.json.bz2

Revision history for this message
Alex Murray (alexmurray) wrote :
Download full text (7.1 KiB)

Since eglibc 2.15-0ubuntu10.22 is still in the ESM PPA this is relatively easy to reproduce following the instructions at https://wiki.ubuntu.com/SecurityTeam/UpdatePublication#Announce_Publication:

$ SRCPKG=eglibc
$ USN=4218-1 # https://usn.ubuntu.com/4218-1/
$ $UCT/scripts/sis-changes --download /tmp/pending $SRCPKG --ppa ubuntu-security/esm --include-eol && cd /tmp/pending && $UCT/scripts/sis-generate-usn --no-new-warn $USN *.changes > ~/new-usn.sh

We can then see that when generating the USN the locales package will get listed for precise in the USN DB:
$ grep locales ~/new-usn.sh
  usn.py $DB $USN --release precise --package locales --binary-version 2.15-0ubuntu10.22
  usn.py $DB $USN --release precise --package locales-all --binary-version 2.15-0ubuntu10.22
  usn.py $DB $USN --release precise --package locales --all-binary-version 2.15-0ubuntu10.22
  usn.py $DB $USN --release precise --package locales-all --all-binary-version 2.15-0ubuntu10.22

This is because this is listed in the Binary field of the changes files which were obtained from the PPA:
$ grep Binary.*locales /tmp/pending/*.changes
/tmp/pending/eglibc_2.15-0ubuntu10.22_amd64.changes:Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-prof libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-prof libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-prof libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-prof libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-s390x libc6-dev-s390x libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc6-armhf libc6-dev-armhf libc6-armel libc6-dev-armel libc0.1-i386 libc0.1-dev-i386 libc6-sparcv9v libc6-sparcv9v2 libc6-sparc64b libc6-sparc64v libc6-sparc64v2 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb
/tmp/pending/eglibc_2.15-0ubuntu10.22_armel.changes:Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-prof libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-prof libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-prof libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-prof libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-s390x libc6-dev-s390x libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc6-armhf libc6-dev-armhf libc6-armel libc6-dev-armel libc0.1-i386 libc0.1-dev-i386 libc6-sparcv9v libc6-sparcv9v2 libc6-sparc64b libc6-sparc64v libc6-sparc64v2 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb
/tmp/pending/eglibc_2.15-0ubuntu10.22_armhf.changes:Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd multiarch-support libc6 libc6-d...

Read more...

Revision history for this message
Alex Murray (alexmurray) wrote :

So this would appear to indicate the .changes files are incorrect (unless I am misunderstanding something).

Revision history for this message
Pedro Principeza (pprincipeza) wrote :

Hi there. Thank you for the inputs, Alex. Let me know if further info is required to proceed.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I have manually edited USN=4218-1 to remove locales and locales-all.

To resolve this issue, we should remove those packages from debian/control the next time we publish eglibc updates for precise or trusty.

Marc Deslauriers (mdeslaur)
Changed in ubuntu-cve-tracker:
assignee: nobody → Leonidas S. Barbosa (leosilvab)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.