Bug 1471109 - stackguard (CVE-2017-1000366) number not found in glibc changelog
stackguard (CVE-2017-1000366) number not found in glibc changelog
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: glibc (Show other bugs)
6.9
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: glibc team
qe-baseos-tools
: Patch
Depends On:
Blocks: 1471111
  Show dependency treegraph
 
Reported: 2017-07-14 08:36 EDT by Deepu K S
Modified: 2017-08-16 13:32 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1471111 (view as bug list)
Environment:
Last Closed: 2017-08-16 13:32:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Deepu K S 2017-07-14 08:36:58 EDT
Description of problem:
It is seen that the CVE number [CVE-2017-1000366] from stackguard vulnerability is not added in the glibc rpm changelog.

Seen for both RHEL 6 and RHEL 7.

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 6, 7
glibc-2.17-157.el7_3.4.x86_64
glibc-2.12-1.209.el6_9.2.x86_64

How reproducible:
Always

Steps to Reproduce:
1. # rpm -q --changelog glibc
2.
3.

Actual results:
RHEL 6:
* Fri May 26 2017 Florian Weimer <fweimer@redhat.com> - 2.12-1.209.2
- Avoid large allocas in the dynamic linker (#1452711)

RHEL 7:
* Fri May 26 2017 Florian Weimer <fweimer@redhat.com> - 2.17-157.4
- Avoid large allocas in the dynamic linker (#1452720)

If we check the kernel changelog, it mentions of the CVE.

# rpm -qp kernel-2.6.32-696.6.3.el6.x86_64.rpm --changelog | grep -i CVE-2017-10003
- [mm] enlarge stack guard gap (Larry Woodman) [1452729 1452730] {CVE-2017-1000364 CVE-2017-1000366}

# rpm -qp kernel-3.10.0-514.26.2.el7.x86_64.rpm --changelog | grep -i "CVE-2017-10003"
- [mm] enlarge stack guard gap (Larry Woodman) [1452732 1452733] {CVE-2017-1000364}

Expected results:
* Fri May 26 2017 Florian Weimer <fweimer@redhat.com> - 2.17-157.4
- CVE-2017-1000366: Avoid large allocas in the dynamic linker (#1452720)


Additional info:

Note You need to log in before you can comment on or make changes to this bug.