glibc: CVE-2015-7547

[tianon]

CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

https://googleonlinesecurity.blogspot.no/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

---

• alpine: no glibc package available
• busybox: Rebuild busybox to account for CVE-2015-7547 #1451
• centos (RHEL derivative): update as of 20160217 - fixes glibc cve #1455
  • https://access.redhat.com/security/cve/CVE-2015-7547
• crux:
  • https://crux.nu/gitweb/?p=ports/core.git;a=history;f=glibc;hb=HEAD
• debian: Update debian (especially for CVE-2015-7547) #1450
  • https://security-tracker.debian.org/tracker/CVE-2015-7547
• fedora: update fedora 23 and rawhide for glibc: CVE-2015-7547 #1456, update fedora 22 and 23 for glibc: CVE-2015-7547 #1461
  • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7547
• mageia: Update Mageia 5 (especially for CVE-2015-7547) #1468
  • https://advisories.mageia.org/MGASA-2016-0079.html (https://lwn.net/Articles/676456/)
  • https://bugs.mageia.org/show_bug.cgi?id=17394
  • https://bugs.mageia.org/buglist.cgi?quicksearch=ALL%20CVE-2015-7547
• opensuse: Update openSUSE 42.1 and tumbleweed #1460, update openSUSE 13.2 image #1465
  • https://bugzilla.novell.com/show_bug.cgi?id=CVE-2015-7547
• oraclelinux: Updated Oracle Linux 7.2 and 6.7 images to resolve CVE-2015-7547. #1453
  • http://linux.oracle.com/cve/CVE-2015-7547.html
• photon:
  • vmware/photon@fdf30fa
  • https://github.com/vmware/photon/tree/master/SPECS/glibc
• sourcemage:
  • http://scmweb.sourcemage.org/?p=smgl/grimoire.git;a=history;f=libs/glibc
  • http://www.sourcemage.org/projects/grimoire/search?q=CVE-2015-7547
• ubuntu: Update ubuntu (especially for CVE-2015-7547) #1454
  • http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7547.html
    • http://people.canonical.com/~ubuntu-security/cve/priority.html (for reference)
  • http://www.ubuntu.com/usn/usn-2900-1/

[tianon]

RHEL 6 and RHEL 7 have fixes (cc @jperrin)

Fedora has an update submitted (cc @maxamillion)

openSUSE update is in-progress (cc @flavio)

[tianon]

Debian tarballs are in-progress (almost complete -- just waiting on the sid/unstable packages to propagate)

Ubuntu doesn't have updated packages yet

[jperrin]

our packages are syncing to the mirrors now. I'll have an updated build shortly.

[Djelibeybi]

OL6 and OL7 have fixes and a new build has been requested from our build team.

[ThiefMaster]

will all the official docker-library images be rebuilt automatically?

[tianon]

@ThiefMaster yes, they're in-progress right now

@jperrin @Djelibeybi thanks for the updates! 👍

[diogomonica]

@tianon this has the patched packages http://www.ubuntu.com/usn/usn-2900-1/

[tianon]

@diogomonica nice -- wonder why they didn't update http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7547.html yet

I'll give our Canonical contacts a poke and see what the ETA for updated tarballs is.

(At their request, we consume their tarballs from https://partner-images.canonical.com/core/, built by Canonical on their official infra, so as soon as those are updated I can update the image.)

[diogomonica]

@tianon yeah, I didn't understand that either. I was checking the CVE page too.

[tianon]

Heard back and Ubuntu rebuilds are in progress downstream! 👍

[diogomonica]

Great!

[tianon]

As a minor update, there was a snag in Canonical's update process that's delayed the artifact generation on their side -- I'll keep an eye on things, but it looks like we likely won't get those artifacts until early tomorrow (relative to PST).

[Djelibeybi]

Oracle images updated in #1453

[ThiefMaster]

What's the best way to see whether an official image has already been updated or not? For example the mongo image on docker hub still shows "last pushed 14d ago" so i guess it's still vulnerable?

[macropin]

@tianon when can we expect all the major images to be rebuilt eg centos and secondary eg mariadb, nginx etc? It looks like you guys have gone to bed. We are sitting around waiting for this to happen so we can patch production systems. Thanks.

[tianon]

@macropin for CentOS, we're waiting for the image maintainer to provide an updated rootfs; for the Debian-based portion of the library, we're waiting for the images themselves to finish rebuilding (there are a ton of them, and it takes quite a while to rebuild them all)

Ubuntu is going to have a PR shortly.

[tianon]

Both ubuntu and buildpack-deps are now fully updated. Rebuilds of dependent images are still in-progress.

[flavio]

Just a quick update, openSUSE 42.1, 13.2 and tumbleweed packages are being rolled out at different paces. I'll update all the images as soon as the packages are there.

[ThiefMaster]

Out of curiosity, why do the rebuilds take so long for the debian-based images?

[tianon]

That'd mostly be because we have over 300 officially supported tags based directly on debian, and over 200 based indirectly on it via buildpack-deps (not to mention further chains going through language images).

[tianon]

Thanks @flavio! ❤️

[jperrin]

Sorry for the delay on getting this one in. #1455

[tianon]

https://bugzilla.redhat.com/show_bug.cgi?id=1308943#c7 claims the update is available 😄

[macropin]

And the latest fedora:23 image still contains the vulnerable glibc.

[root@docker docker-cve]# docker pull fedora:23 
Trying to pull repository docker.io/library/fedora ... 23: Pulling from library/fedora
b0082ba983ef: Already exists 
a7a02e6029ae: Already exists 
Digest: sha256:f538e5517cb2160e869647f0bff049e4ee38d5dde4ba75b50ff213831426ba05
Status: Image is up to date for docker.io/fedora:23
[root@docker docker-cve]# docker images |grep fedora
docker.io/fedora                     23                  a7a02e6029ae        8 hours ago         204.4 MB
docker.io/fedora                     latest              a7a02e6029ae        8 hours ago         204.4 MB
[root@docker docker-cve]# docker run --rm -ti fedora:23 bash
[root@db80f371f2e1 /]# rpm -qva |grep glibc
glibc-common-2.22-7.fc23.x86_64
glibc-2.22-7.fc23.x86_64

[tianon]

@macropin thanks for the additional info and testing -- @maxamillion thoughts on what might've happened? 😕

[tianon]

@frapposelli just realized I need to add photon to my template 😄 Is there an official "security tracker" for the OS yet, or is the best place to look for updates just going to be the SPECS directory in https://github.com/vmware/photon ? It doesn't look like glibc there is updated yet (https://github.com/vmware/photon/tree/master/SPECS/glibc).

[maxamillion]

@macropin @tianon - yup, totally my fault. I'm getting that fixed up and the Fedora 22 image built, will have a pull request asap. Apologies.

[frapposelli]

@tianon no security tracker at the moment (working on that), best way is to look at the SPEC dir (either master or dev branch).

Seems like the guys already pushed a patch: vmware/photon@fdf30fa

[maxamillion]

@tianon Apologies for the mistake on the Fedora 23 image and the delay on the Fedora 22 image. #1461

[tianon]

Ok, Fedora fix is pushed. 😄 👍

[tianon]

@frapposelli nice! 😄 Does that mean it's ready for an image rootfs rebuild, or is there further process it has to go through first?

[frapposelli]

@tianon they have an automated process that uploads the new artifacts, I'm checking with them for a timeline, once they're up I will send a PR with the update 👍

[tianon]

@frapposelli rock on, sounds great ❤️

[tianon]

@juanluisbaptiste looks like mageia:5 is ready for a rootfs rebuild? 😄

• https://advisories.mageia.org/MGASA-2016-0079.html (https://lwn.net/Articles/676456/)
• https://bugs.mageia.org/show_bug.cgi?id=17394

[juanluisbaptiste]

@tianon yes I already did the image update locally, but it seems I got distracted by something and totally forgot to finish it, probably I saw a squirrel through the window or something hehe. I'll finish the update later today when I'm back home.

[juanluisbaptiste]

@tianon Ready, please check.

[tianon]

I think this is likely as good as it's going to get at this point. 👍