Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 677272 (CVE-2019-7309)

Summary: <sys-libs/glibc-2.30-r6 : x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309)
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: toolchain
Priority: Low    
Version: unspecified   
Hardware: x86   
OS: Linux   
URL: https://sourceware.org/bugzilla/show_bug.cgi?id=24155
Whiteboard: A4 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 712726    
Bug Blocks:    

Description D'juan McDonald (domhnall) 2019-02-04 18:56:38 UTC 
(https://nvd.nist.gov/vuln/detail/CVE-2019-7309):

In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.

@maintainter(s): master branch for 2.27 was updated [ Mon Feb 4 08:55:52 2019 ],
via 2ebadb6451eda1d518d70e26cf4ceeb0362e2456. 


Gentoo Security Padawan
(domhnall)
Comment 1 Andreas K. Hüttel archtester gentoo-dev 2020-03-23 21:31:48 UTC 
Fixed in 2.30
Comment 2 NATTkA bot gentoo-dev 2020-04-12 19:30:13 UTC 
Unable to check for sanity:

> dependent bug #712726 is missing keywords
Comment 3 NATTkA bot gentoo-dev 2020-04-13 14:41:16 UTC 
Resetting sanity check; package list is empty or all packages are done.
Comment 4 Larry the Git Cow gentoo-dev 2020-05-04 18:37:38 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cce133930b2d85cd8bed66715857ccf550048bbd

commit cce133930b2d85cd8bed66715857ccf550048bbd
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2020-05-04 18:35:42 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2020-05-04 18:37:12 +0000

    package.mask: Update old glibc mask, now masking <2.30-r8
    
    Bug: https://bugs.gentoo.org/712726
    Bug: https://bugs.gentoo.org/677272
    Bug: https://bugs.gentoo.org/679044
    Bug: https://bugs.gentoo.org/711558
    Bug: https://bugs.gentoo.org/717938
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 profiles/package.mask | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2020-05-22 00:41:19 UTC 
Removed from tree, adding to GLSA
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-06-13 01:04:50 UTC 
This issue was resolved and addressed in
 GLSA 202006-04 at https://security.gentoo.org/glsa/202006-04
by GLSA coordinator Aaron Bauman (b-man).