Bug 994359 - (CVE-2016-6323) VUL-0: CVE-2016-6323: glibc: Missing unwind information on ARM EABI (32-bit) causes backtrace generation to hang
(CVE-2016-6323)
VUL-0: CVE-2016-6323: glibc: Missing unwind information on ARM EABI (32-bit) ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P3 - Medium : Normal
: ---
Assigned To: Andreas Schwab
Security Team bot
https://smash.suse.de/issue/172001/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-18 12:37 UTC by Marcus Meissner
Modified: 2016-10-04 14:10 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-08-18 12:37:12 UTC
CVE-2016-6323


 Andreas Schwab of SuSE reported and fixed a glibc bug where the makecontext function would create an execution context which is incompatible with the unwinder, causing it to hang when the generation of a backtrace is attempted:


  https://sourceware.org/bugzilla/show_bug.cgi?id=20435

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e2ff6c9cc54c0b4402b8d49e4abe7000fde7617

This is a minor denial-of-service vulnerability.

The bug is specific to ARM EABI (32-bit) and does not affect other architectures. So far, only certain applications compiled using gccgo (not the main golang.org toolchain) are known to be affected.


Red Hat Product Security has assigned CVE-2016-6323 to this issue.

Thanks,
Florian



References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6323
http://seclists.org/oss-sec/2016/q3/318
Comment 1 Marcus Meissner 2016-08-18 12:38:01 UTC
arm 32bit is used only on opensuse.
Comment 2 Swamp Workflow Management 2016-08-18 22:00:41 UTC
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2016-09-22 10:00:37 UTC
This is an autogenerated message for OBS integration:
This bug (994359) was mentioned in
https://build.opensuse.org/request/show/429438 13.2 / glibc
Comment 4 Andreas Stieger 2016-10-04 11:04:00 UTC
Releasing openSUSE update
Comment 5 Swamp Workflow Management 2016-10-04 14:10:12 UTC
openSUSE-SU-2016:2443-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 994359,994576
CVE References: CVE-2016-6323
Sources used:
openSUSE 13.2 (src):    glibc-2.19-16.28.1, glibc-testsuite-2.19-16.28.2, glibc-utils-2.19-16.28.1