1) CVE-2019-1010023 Description: "GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code." Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=22851 Patch: No fix yet, WIP by upstream 2) CVE-2019-1010024 Description: "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc." Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=22852 Patch: No fix yet
3) CVE-2019-1010022 Description: "GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard." Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=22850 Patch: No fix yet
My impression is that upstream sees these more as "enhancement requests" than as actual security bugs.
(In reply to Andreas K. Hüttel from comment #2) > My impression is that upstream sees these more as "enhancement requests" > than as actual security bugs. I agree, although it'd be nice to get them fixed eventually. They haven't officially disrupted the CVEs though. :/
No news upstream.