USN DB showing locales binary package published by eglibc/libc6

Bug #1858641 reported by Pedro Principeza on 2020-01-07
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu CVE Tracker
Undecided
Leonidas S. Barbosa

Bug Description

[Description]

Querying the USN DB [1], one may find the information that libc6 seems to provide a locales package (2.19-0ubuntu6.15+esm1, under "allbinaries").

However, libc6/eglibc packages do not provide locales in either Trusty or Precise, so the entry in the USN DB is actually inconsistent.

As follows:

{
"description": "Jakub Wilk discovered that GNU C Library incorrectly handled certain memory alignments.\nAn attacker could possibly use this issue to execute arbitrary code
or cause\na crash.\n",
"releases": {
[...]
"trusty": {
"allbinaries": {
"libc6-dev-powerpc": {
"version": "2.19-0ubuntu6.15+esm1"
},
[...]
"locales": {
"version": "2.19-0ubuntu6.15+esm1"
},
[...]
},
"title": "GNU C Library vulnerability",
"timestamp": 1575985772.819008,
"summary": "eglibc vulnerability",
"action": "After a standard system update you need to reboot your computer to make\nall the necessary changes.\n",
"isummary": "GNU C Library could be made to execute arbitrary code or cause a crash\nif it received a specially crafted input.\n",
"id": "4218-1",
"cves": [
"CVE-2018-6485"
]
}

As this inconsistency is only seen in the USN DB, this might very well be a generic parsing issue, that may affect not only libc6, but other packages as well.

[Reproduction]
N/A.

[Impact]
Misleading entries in the USN DB, leading to think binary packages are available at a certain version, when they're not.

Let me know if further info is needed to proceed. Thanks!

[1] https://usn.ubuntu.com/usn-db/database-all.json.bz2

Alex Murray (alexmurray) wrote :
Download full text (7.1 KiB)

Since eglibc 2.15-0ubuntu10.22 is still in the ESM PPA this is relatively easy to reproduce following the instructions at https://wiki.ubuntu.com/SecurityTeam/UpdatePublication#Announce_Publication:

$ SRCPKG=eglibc
$ USN=4218-1 # https://usn.ubuntu.com/4218-1/
$ $UCT/scripts/sis-changes --download /tmp/pending $SRCPKG --ppa ubuntu-security/esm --include-eol && cd /tmp/pending && $UCT/scripts/sis-generate-usn --no-new-warn $USN *.changes > ~/new-usn.sh

We can then see that when generating the USN the locales package will get listed for precise in the USN DB:
$ grep locales ~/new-usn.sh
  usn.py $DB $USN --release precise --package locales --binary-version 2.15-0ubuntu10.22
  usn.py $DB $USN --release precise --package locales-all --binary-version 2.15-0ubuntu10.22
  usn.py $DB $USN --release precise --package locales --all-binary-version 2.15-0ubuntu10.22
  usn.py $DB $USN --release precise --package locales-all --all-binary-version 2.15-0ubuntu10.22

This is because this is listed in the Binary field of the changes files which were obtained from the PPA:
$ grep Binary.*locales /tmp/pending/*.changes
/tmp/pending/eglibc_2.15-0ubuntu10.22_amd64.changes:Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-prof libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-prof libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-prof libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-prof libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-s390x libc6-dev-s390x libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc6-armhf libc6-dev-armhf libc6-armel libc6-dev-armel libc0.1-i386 libc0.1-dev-i386 libc6-sparcv9v libc6-sparcv9v2 libc6-sparc64b libc6-sparc64v libc6-sparc64v2 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb
/tmp/pending/eglibc_2.15-0ubuntu10.22_armel.changes:Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-prof libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-prof libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-prof libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-prof libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-s390x libc6-dev-s390x libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc6-armhf libc6-dev-armhf libc6-armel libc6-dev-armel libc0.1-i386 libc0.1-dev-i386 libc6-sparcv9v libc6-sparcv9v2 libc6-sparc64b libc6-sparc64v libc6-sparc64v2 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb
/tmp/pending/eglibc_2.15-0ubuntu10.22_armhf.changes:Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd multiarch-support libc6 libc6-d...

Read more...

Alex Murray (alexmurray) wrote :

So this would appear to indicate the .changes files are incorrect (unless I am misunderstanding something).

Pedro Principeza (pprincipeza) wrote :

Hi there. Thank you for the inputs, Alex. Let me know if further info is required to proceed.

Marc Deslauriers (mdeslaur) wrote :

I have manually edited USN=4218-1 to remove locales and locales-all.

To resolve this issue, we should remove those packages from debian/control the next time we publish eglibc updates for precise or trusty.

Changed in ubuntu-cve-tracker:
assignee: nobody → Leonidas S. Barbosa (leosilvab)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers