Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717058 (CVE-2020-6096)

Summary: <sys-libs/glibc-2.31-r6: Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alexander, herrtimson, toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceware.org/bugzilla/show_bug.cgi?id=25620
Whiteboard: A3 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 727758    
Bug Blocks:    

Description Sam James archtester gentoo-dev Security 2020-04-11 11:42:58 UTC
Description:
"An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data."

It's not not clear that upstream actually agree it's a security bug. 
They have not formally disputed the CVE though.
Comment 1 tt_1 2020-05-15 12:31:52 UTC
this got fixed upstream by these two commits: 

https://sourceware.org/git/?p=glibc.git;a=patch;h=eec0f4218cda936a6ab8f543e90b96b196df3fc2
https://sourceware.org/git/?p=glibc.git;a=patch;h=eca1b233322914d9013f3ee4aabecaadc9245abd

found via https://sourceware.org/bugzilla/show_bug.cgi?id=25620#c25

they apply to glibc-2.30-r8 , but I could imagine glibc-2.31-r3 being the better place to backport this since 2.30 is already stable
Comment 2 Alexander Tsoy 2020-07-16 09:38:31 UTC
(In reply to tt_1 from comment #1)
> this got fixed upstream by these two commits: 
These commits only added tests. The vulnerability was really fixed only recently:
https://sourceware.org/bugzilla/show_bug.cgi?id=25620#c27
Comment 3 tt_1 2020-07-18 16:07:17 UTC
this got fixed in glibc-2.31 patchset8:

sys-libs/glibc: 2.31 bump to patchset 8, finally stable candidate

* arm: fix for CVE-2020-6096
* en_US: minimize changes to date_fmt (backport from 2.32)
* x86-64: fix avx2 strncmp offset compare condition check
* ia64: fix miscompilation on gcc-10
Comment 4 Sam James archtester gentoo-dev Security 2020-07-18 16:27:41 UTC
Thanks both.
Comment 5 Larry the Git Cow gentoo-dev 2020-10-30 19:29:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25382c826776a6af264da6af0153022bc30487ff

commit 25382c826776a6af264da6af0153022bc30487ff
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2020-10-30 19:27:56 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2020-10-30 19:29:02 +0000

    package.mask: extend glibc mask to <2.31-r6
    
    Bug: https://bugs.gentoo.org/717058
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 profiles/package.mask | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Andreas K. Hüttel gentoo-dev 2020-10-30 19:30:01 UTC
All masked. Security please proceed. No cleanup.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2021-01-25 00:05:58 UTC
This issue was resolved and addressed in
 GLSA 202101-20 at https://security.gentoo.org/glsa/202101-20
by GLSA coordinator Aaron Bauman (b-man).