Wind River Security Vulnerability Notice: Stack-heap overflow Vulnerabilities - CVE-2017-1000364, CVE-2017-1000365, CVE-2017-1000366
Wind River® is committed to delivering secure, reliable products that keep your devices protected. As part of this commitment, our Security Response Team is constantly monitoring and assessing thousands of notifications from CERT-accepted authorities and agencies, Linux security communities such as oss-security, and our customers. Wind River prioritizes these notifications, responds, and proactively contacts customers for timely alerts, enabling them to secure their devices.
The latest reported stack/heap overflow vulnerabilities, tracked under the following CVE entries - CVE-2017-1000364 (linux), CVE-2017-1000365 (linux), CVE-2017-1000366 (glibc), have been addressed by the Security Response Team. The following Wind River Linux versions are affected:
Linux 9
Linux 8
Linux 7
Linux 6
Linux 5
This issue has been rated as HIGH, reference https://knowledge.windriver.com/en-us/020_Product_Support_Policies/010/000_Security_Vulnerability_Response_Policy
There are 2 parts of fixes, one fix is for glibc, the other fix is for linux kernel. The glibc fix is available below. Please download the patches and follow the steps in ** Installation Notes ** to apply the patches.
The linux kernel patches are not ready yet. We will update this page when the patches are available.
We will continue to monitor the situation in case there are new developments. If necessary, we will post periodic updates via RSS feeds and the Wind River Support Network.
www.windriver.com/feeds/wrlinux_900.xml
www.windriver.com/feeds/wrlinux_800.xml
www.windriver.com/feeds/wrlinux_700.xml
www.windriver.com/feeds/wrlinux_600.xml
www.windriver.com/feeds/wrlinux_500.xml
2017.05.19: Initial version, patches for glibc (CVE-2017-1000366)
2017.05.20: Patches for Linux (CVE-2017-1000364 & CVE-2017-1000365), WR 9/8
2017.05.21: Patches for Linux (CVE-2017-1000364 & CVE-2017-1000365), WR 7
2017.05.22: Refresh the kernel patch of WRL7, and add an additional kernel patch for WRL7. Add the patches for Linux (CVE-2017-1000364 & CVE-2017-1000365) of WRL6
2017.05.23: Update the glibc patch for WRL8 to avoid a patch conflict. And appending --whitespace=nowarn to all 'git am' commands. Add kernel patches for WRL5. Add additional kernel patches for WRL8/WRL9
2017.05.26: Reupload the first kernel patch for WRL7
Please update to the latest RCPL for all products.
Note: the CVE-2017-1000365 is duplicate of CVE-2017-1000364. The patch WRL*..-CVE-2017-1000364.patch can fix both CVE-2017-1000364 and CVE-2017-1000365.
1) Wind River Linux 9
create a new project
$./wrlinux-9/setup.sh --machine ... ...
$cd layers/oe-core
$git am --whitespace=nowarn WRL9-glibc-preliminary-fix-to-CVE-2017-1000366.patch
$cd layers/wr-kernel
$git am --whitespace=nowarn WRL9-linux-preliminary-fix-to-CVE-2017-1000364.patch
$git am --whitespace=nowarn WRL9-linux-preliminary-fix-to-CVE-2017-1000364-append.patch
(build as normal)
2) Wind River Linux 8
create a new project
$configure --enable-kernel=... --enable-board=... ...
$cd layers/oe-core
$git am --whitespace=nowarn WRL8-glibc-preliminary-fix-to-CVE-2017-1000366.patch
$cd layers/wr-kernel
$git am --whitespace=nowarn WRL8-linux-preliminary-fix-to-CVE-2017-1000364.patch
$git am --whitespace=nowarn WRL8-linux-preliminary-fix-to-CVE-2017-1000364-append.patch
$make fs
3) Wind River Linux 7
create a new project
$configure --enable-kernel=... --enable-board=... ...
$cd layers/oe-core
$git am --whitespace=nowarn WRL7-glibc-preliminary-fix-to-CVE-2017-1000366.patch
$cd layers/wr-kernel
$git am --whitespace=nowarn WRL7-linux-preliminary-fix-to-CVE-2017-1000364.patch
$git am --whitespace=nowarn WRL7-linux-preliminary-fix-to-CVE-2017-1000364-append.patch
$ echo USE_SDK_GLIBC = "0" >> local.conf
$make fs
4) Wind River Linux 6
$configure --with-template=feature/build_libc --enable-kernel=... --enable-board=... ...
$make -C build eglibc-sourcery-compile.patch
$cd build/eglibc-sourcery-compile/glibc-2.18-4.8
$patch -Np2 < WRL6-glibc-preliminary-fix-to-CVE-2017-1000366.patch
$cd layers/wr-kernel
$git am --whitespace=nowarn WRL6-linux-preliminary-fix-to-CVE-2017-1000364.patch
$make fs
5) Wind River Linux 5
$configure --enable-build-libc --enable-kernel=... --enable-board=... ...
$make -C build wrl-glibc-rebuild.patch
$cd build/wrl-glibc-rebuild-2.15-4.6a-153-r2/glibc-2.15-4.6a-153 #OR the version you are using#
$patch -Np2 < WRL5-glibc-preliminary-fix-to-CVE-2017-1000366.patch
$cd layers/wr-kernel
$git am --whitespace=nowarn WRL5-linux-preliminary-fix-to-CVE-2017-1000364.patch
$make fs