Ubuntu
glibc package

Exploit for unpatched CVE reported in wild.

Bug #1031301 reported by David Ambrose-Griffith
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
eglibc (Ubuntu)
Fix Released
Undecided
Unassigned
glibc (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

CVEs are as follows:

CVE-2012-3404
CVE-2012-3405
CVE-2012-3406

lsb_release -rd
Description: Ubuntu 10.04.3 LTS
Release: 10.04

Package: libc6 (2.11.1-0ubuntu7.10)

Details of the bugs are here upstream:

http://www.openwall.com/lists/oss-security/2012/07/11/17

We received reports from a colleague at another University that they have suffered a root compromise as a result of one of these CVEs, which I notice do not appear to be fixed yet in Ubuntu. They are running Scientific Linux 6 rather than Ubuntu, so can't be directly compared

Debian appear to have fixes out for 2 of the 3 CVEs
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681473

They considered the security risk low, but I have reports of exploits in the wild.

The details I have so far from my colleague are as follows:

09:49 < DaveAG> Was it RHSA-2012:1098-1 you reckon bit you?
09:49 < colleague> erm, one of CVE-2012-3404, CVE-2012-3405, CVE-2012-3406
09:49 < colleague> I don't have an RHSA number to hand since this is SL
09:50 < DaveAG> Yeah, that RHSA lists those 3 CVEs
09:51 < colleague> Announced on the 18th July, we got done on 26th, that's scarily quick
09:52 < colleague> There must be an exploit specifically related to use of /bin/mount
09:53 < colleague> Lovely that with auditd running we immediately were able to spot which suid had been used to get root
09:53 < colleague> and the lack of command line arguments to the command meant it had to be done using the environment to change the way the output was formatted
09:57 < colleague> oh, and blocking the loading of kernel modules helped a lot
09:57 < colleague> It forced the attacker into trying something much more difficult which crashed the kernel.

Marc Deslauriers (mdeslaur)
security vulnerability: yes → no
visibility: private → public
Changed in eglibc (Ubuntu):
status: New → Confirmed
Changed in glibc (Ubuntu):
status: New → Confirmed
Revision history for this message
Thomas Ward (teward) wrote :

Apologies for setting this back as a security bug, i didnt see Marc set it as a non-vulnerability (aka "Public" only bug). I've rectified my mistake.

security vulnerability: no → yes
security vulnerability: yes → no
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Oh, I made a mistake when setting it public, this is definitely a security vulnerability.

security vulnerability: no → yes
Revision history for this message
David Ambrose-Griffith (d-e-ambrose-griffith) wrote :

Has there been any developments on this? Do we know if the debian patches are safe to simply roll into ubuntu?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.11.1-0ubuntu7.11

---------------
eglibc (2.11.1-0ubuntu7.11) lucid-security; urgency=low

  * SECURITY UPDATE: buffer overflow in vfprintf handling
    - debian/patches/any/CVE-2012-3404.patch: Fix allocation when
      handling positional parameters in printf.
    - CVE-2012-3404
  * SECURITY UPDATE: buffer overflow in vfprintf handling
    - debian/patches/any/CVE-2012-3405.patch: fix extension of array
    - CVE-2012-3405
  * SECURITY UPDATE: stack buffer overflow in vfprintf handling
    (LP: #1031301)
    - debian/patches/any/CVE-2012-3406.patch: switch to malloc when
      array grows too large to handle via alloca extension
    - CVE-2012-3406
  * SECURITY UPDATE: stdlib strtod integer/buffer overflows
    - debian/patches/any/CVE-2012-3480.patch: rearrange calculations
      and modify types to void integer overflows
    - CVE-2012-3480
  * debian/patches/any/strtod_overflow_bug7066.patch: Fix array
    overflow in floating point parser triggered by applying patch for
    CVE-2012-3480
  * debian/testsuite-checking/expected-results-x86_64-linux-gnu-libc,
    debian/testsuite-checking/expected-results-i486-linux-gnu-libc,
    debian/testsuite-checking/expected-results-i686-linux-gnu-i386,
    debian/testsuite-checking/expected-results-i686-linux-gnu-i686,
    debian/testsuite-checking/expected-results-i686-linux-gnu-xen,
    debian/testsuite-checking/expected-results-sparc64-linux-gnu-sparc64:
    update for pre-existing testsuite failures that prevents FTBFS
    when the testsuite is enabled.
 -- Steve Beattie <email address hidden> Fri, 28 Sep 2012 23:48:21 -0700

Changed in eglibc (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glibc - 2.7-10ubuntu8.2

---------------
glibc (2.7-10ubuntu8.2) hardy-security; urgency=low

  * SECURITY UPDATE: buffer overflow in vfprintf handling
    - debian/patches/any/CVE-2012-3404.patch: Fix allocation when
      handling positional parameters in printf.
    - CVE-2012-3404
  * SECURITY UPDATE: buffer overflow in vfprintf handling
    - debian/patches/any/CVE-2012-3405.patch: fix extension of array
    - CVE-2012-3405
  * SECURITY UPDATE: stack buffer overflow in vfprintf handling
    (LP: #1031301)
    - debian/patches/any/CVE-2012-3406.patch: switch to malloc when
      array grows too large to handle via alloca extension
    - CVE-2012-3406
  * SECURITY UPDATE: stdlib strtod integer/buffer overflows
    - debian/patches/any/CVE-2012-3480.patch: rearrange calculations
      and modify types to void integer overflows
    - CVE-2012-3480
  * debian/expected_test_summary: update expected results to prevent FTBFS
 -- Steve Beattie <email address hidden> Fri, 28 Sep 2012 08:21:34 -0700

Changed in glibc (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

CVE-2012-3406 still needs to be addressed in quantal, reopening for that. Attached is a debdiff to do so.

Changed in eglibc (Ubuntu):
status: Fix Released → In Progress
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "eglibc_2.15-0ubuntu19.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Adam Conrad (adconrad)
Changed in eglibc (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package eglibc - 2.15-0ubuntu20

---------------
eglibc (2.15-0ubuntu20) quantal; urgency=low

  * Backport fixes for dbl-64 and ldbl-128 issues (LP: #1000498)
  * Backport another FMA support patch from glibc master branch.

eglibc (2.15-0ubuntu19) quantal-proposed; urgency=low

  * SECURITY UPDATE: stack buffer overflow in vfprintf handling
    (LP: #1031301)
    - debian/patches/any/CVE-2012-3406.patch: switch to malloc when
      array grows too large to handle via alloca extension
    - CVE-2012-3406
  * SECURITY UPDATE: stdlib strtod integer/buffer overflows
    - debian/patches/any/CVE-2012-3480.patch: rearrange calculations
      and modify types to void integer overflows
    - CVE-2012-3480
 -- Adam Conrad <email address hidden> Wed, 03 Oct 2012 15:58:02 -0600

Changed in eglibc (Ubuntu):
status: Fix Committed → Fix Released
Adam Conrad (adconrad)
tags: added: verification-done
Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.