Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711318 (CVE-2019-1010022, CVE-2019-1010023, CVE-2019-1010024) - sys-libs/glibc: Multiple vulnerabilities (CVE-2019-{1010022,1010023,1010024})
Summary: sys-libs/glibc: Multiple vulnerabilities (CVE-2019-{1010022,1010023,1010024})
Status: UNCONFIRMED
Alias: CVE-2019-1010022, CVE-2019-1010023, CVE-2019-1010024
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-02 14:24 UTC by Sam James
Modified: 2023-08-23 17:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-02 14:24:00 UTC 
1) CVE-2019-1010023

Description:
"GNU Libc current is affected by: Re-mapping current loaded libray with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code."

Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=22851
Patch: No fix yet, WIP by upstream

2) CVE-2019-1010024
Description:
"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc."

Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=22852
Patch: No fix yet
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-02 14:26:45 UTC 
3) CVE-2019-1010022

Description:
"GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard."

Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=22850
Patch: No fix yet
Comment 2 Andreas K. Hüttel archtester gentoo-dev 2020-03-23 21:15:06 UTC 
My impression is that upstream sees these more as "enhancement requests" than as actual security bugs.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-25 16:24:26 UTC 
(In reply to Andreas K. Hüttel from comment #2)
> My impression is that upstream sees these more as "enhancement requests"
> than as actual security bugs.

I agree, although it'd be nice to get them fixed eventually. They haven't officially disrupted the CVEs though. :/
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2021-02-27 16:44:46 UTC 
No news upstream.
Comment 5 Andreas K. Hüttel archtester gentoo-dev 2021-08-04 21:31:42 UTC 
No news upstream.
Comment 6 Andreas K. Hüttel archtester gentoo-dev 2023-08-23 17:39:50 UTC 
No news upstream.