994359 – (CVE-2016-6323) VUL-0: CVE-2016-6323: glibc: Missing unwind information on ARM EABI (32-bit) causes backtrace generation to hang

Bug 994359 (CVE-2016-6323) - VUL-0: CVE-2016-6323: glibc: Missing unwind information on ARM EABI (32-bit) causes backtrace generation to hang

Summary: VUL-0: CVE-2016-6323: glibc: Missing unwind information on ARM EABI (32-bit) ...

Status:	RESOLVED FIXED

Alias:	CVE-2016-6323

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other openSUSE 13.2

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Andreas Schwab
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/172001/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-08-18 12:37 UTC by Marcus Meissner
Modified:	2016-10-04 14:10 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2016-08-18 12:37:12 UTC

CVE-2016-6323


 Andreas Schwab of SuSE reported and fixed a glibc bug where the makecontext function would create an execution context which is incompatible with the unwinder, causing it to hang when the generation of a backtrace is attempted:


  https://sourceware.org/bugzilla/show_bug.cgi?id=20435

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617

This is a minor denial-of-service vulnerability.

The bug is specific to ARM EABI (32-bit) and does not affect other architectures. So far, only certain applications compiled using gccgo (not the main golang.org toolchain) are known to be affected.


Red Hat Product Security has assigned CVE-2016-6323 to this issue.

Thanks,
Florian



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6323
http://seclists.org/oss-sec/2016/q3/318

Comment 1 Marcus Meissner 2016-08-18 12:38:01 UTC

arm 32bit is used only on opensuse.

Comment 2 Swamp Workflow Management 2016-08-18 22:00:41 UTC

bugbot adjusting priority

Comment 3 Bernhard Wiedemann 2016-09-22 10:00:37 UTC

This is an autogenerated message for OBS integration:
This bug (994359) was mentioned in
https://build.opensuse.org/request/show/429438 13.2 / glibc

Comment 4 Andreas Stieger 2016-10-04 11:04:00 UTC

Releasing openSUSE update

Comment 5 Swamp Workflow Management 2016-10-04 14:10:12 UTC

openSUSE-SU-2016:2443-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 994359,994576
CVE References: CVE-2016-6323
Sources used:
openSUSE 13.2 (src):    glibc-2.19-16.28.1, glibc-testsuite-2.19-16.28.2, glibc-utils-2.19-16.28.1