USN DB showing locales binary package published by eglibc/libc6
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu CVE Tracker |
New
|
Undecided
|
Leonidas S. Barbosa |
Bug Description
[Description]
Querying the USN DB [1], one may find the information that libc6 seems to provide a locales package (2.19-0ubuntu6.
However, libc6/eglibc packages do not provide locales in either Trusty or Precise, so the entry in the USN DB is actually inconsistent.
As follows:
{
"description": "Jakub Wilk discovered that GNU C Library incorrectly handled certain memory alignments.\nAn attacker could possibly use this issue to execute arbitrary code
or cause\na crash.\n",
"releases": {
[...]
"trusty": {
"allbinaries": {
"libc6-
"version": "2.19-0ubuntu6.
},
[...]
"locales": {
"version": "2.19-0ubuntu6.
},
[...]
},
"title": "GNU C Library vulnerability",
"timestamp": 1575985772.819008,
"summary": "eglibc vulnerability",
"action": "After a standard system update you need to reboot your computer to make\nall the necessary changes.\n",
"isummary": "GNU C Library could be made to execute arbitrary code or cause a crash\nif it received a specially crafted input.\n",
"id": "4218-1",
"cves": [
"CVE-2018-6485"
]
}
As this inconsistency is only seen in the USN DB, this might very well be a generic parsing issue, that may affect not only libc6, but other packages as well.
[Reproduction]
N/A.
[Impact]
Misleading entries in the USN DB, leading to think binary packages are available at a certain version, when they're not.
Let me know if further info is needed to proceed. Thanks!
Changed in ubuntu-cve-tracker: | |
assignee: | nobody → Leonidas S. Barbosa (leosilvab) |
Since eglibc 2.15-0ubuntu10.22 is still in the ESM PPA this is relatively easy to reproduce following the instructions at https:/ /wiki.ubuntu. com/SecurityTea m/UpdatePublica tion#Announce_ Publication:
$ SRCPKG=eglibc /usn.ubuntu. com/4218- 1/ sis-changes --download /tmp/pending $SRCPKG --ppa ubuntu-security/esm --include-eol && cd /tmp/pending && $UCT/scripts/ sis-generate- usn --no-new-warn $USN *.changes > ~/new-usn.sh
$ USN=4218-1 # https:/
$ $UCT/scripts/
We can then see that when generating the USN the locales package will get listed for precise in the USN DB: version 2.15-0ubuntu10.22 version 2.15-0ubuntu10.22
$ grep locales ~/new-usn.sh
usn.py $DB $USN --release precise --package locales --binary-version 2.15-0ubuntu10.22
usn.py $DB $USN --release precise --package locales-all --binary-version 2.15-0ubuntu10.22
usn.py $DB $USN --release precise --package locales --all-binary-
usn.py $DB $USN --release precise --package locales-all --all-binary-
This is because this is listed in the Binary field of the changes files which were obtained from the PPA: *.changes eglibc_ 2.15-0ubuntu10. 22_amd64. changes: Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-prof libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-prof libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-prof libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-prof libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-s390x libc6-dev-s390x libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc6-armhf libc6-dev-armhf libc6-armel libc6-dev-armel libc0.1-i386 libc0.1-dev-i386 libc6-sparcv9v libc6-sparcv9v2 libc6-sparc64b libc6-sparc64v libc6-sparc64v2 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb eglibc_ 2.15-0ubuntu10. 22_armel. changes: Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-prof libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-prof libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-prof libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-prof libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-s390x libc6-dev-s390x libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc6-armhf libc6-dev-armhf libc6-armel libc6-dev-armel libc0.1-i386 libc0.1-dev-i386 libc6-sparcv9v libc6-sparcv9v2 libc6-sparc64b libc6-sparc64v libc6-sparc64v2 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb eglibc_ 2.15-0ubuntu10. 22_armhf. changes: Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd multiarch-support libc6 libc6-d...
$ grep Binary.*locales /tmp/pending/
/tmp/pending/
/tmp/pending/
/tmp/pending/