Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 713284 (CVE-2019-14871, CVE-2019-14872, CVE-2019-14873, CVE-2019-14874, CVE-2019-14875, CVE-2019-14876, CVE-2019-14877, CVE-2019-14878) - <sys-libs/newlib-3.3.0: Multiple vulnerabilities (CVE-2019-{14871,14872,14873,14874,14875,14876,14877,14878})
Summary: <sys-libs/newlib-3.3.0: Multiple vulnerabilities (CVE-2019-{14871,14872,14873...
Status: RESOLVED FIXED
Alias: CVE-2019-14871, CVE-2019-14872, CVE-2019-14873, CVE-2019-14874, CVE-2019-14875, CVE-2019-14876, CVE-2019-14877, CVE-2019-14878
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://census-labs.com/news/2020/01/...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 717610
Blocks:
  Show dependency tree
 
Reported: 2020-03-18 19:30 UTC by Sam James
Modified: 2020-06-18 02:51 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-18 19:30:19 UTC
Please see URL for full details:
"During the security assessment of a firmware binary a number of NULL pointer dereference bugs were found caused by newlib-nano code.
It turns out that newlib-nano was part of the "GNU ARM Embedded Toolchain" that the chip manufacturer (Microchip/Atmel) delivered for application development purposes.
newlib-nano inherits code from the newlib project, which is a C library intended for use on embedded systems. 
All NULL pointer dereference bugs identified in newlib-nano were inherited by newlib code and therefore CENSUS reported the respective vulnerabilities to the upstream project.
Users of the newlib library are advised to update to version 3.3.0
make sure to build the library sources with the newlib-reent-check-verify 'configure' option enabled."

This option is enabled for newlib-3.3.0.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-30 15:08:45 UTC
@maintainer(s), please advise if ready for stabilisation, or call yourself.
Comment 2 Larry the Git Cow gentoo-dev 2020-03-31 07:02:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae8fe4521b047d71437f98218ff595715f41cfc9

commit ae8fe4521b047d71437f98218ff595715f41cfc9
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-03-31 07:02:28 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-03-31 07:02:28 +0000

    sys-libs/newlib: drop old, bug #713284
    
    Bug: https://bugs.gentoo.org/713284
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 sys-libs/newlib/Manifest            |   3 -
 sys-libs/newlib/newlib-2.2.0.ebuild |  81 ---------------------
 sys-libs/newlib/newlib-2.5.0.ebuild | 139 -----------------------------------
 sys-libs/newlib/newlib-3.1.0.ebuild | 141 ------------------------------------
 4 files changed, 364 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed3befc9560963f41c7c8cc2c215c3ff0d8b4355

commit ed3befc9560963f41c7c8cc2c215c3ff0d8b4355
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-03-31 07:01:34 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-03-31 07:01:34 +0000

    sys-libs/newlib: drop stable keywords, bug #713284
    
    The package is only used to bootstrap embedded cross-compilers.
    Stable keywords don't make much sense. Let users manage keywords
    themselves.
    
    Bug: https://bugs.gentoo.org/713284
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 sys-libs/newlib/newlib-2.2.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-18 09:12:09 UTC
Cleanup was done and stable keywords were dropped.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-21 22:45:12 UTC
I just realised: 3.1.0 is still in tree. That should be dropped too, if we can.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2020-04-22 07:45:53 UTC
3.1.0 had to be reinstated for bug #717610
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-22 11:27:45 UTC
(In reply to Sergei Trofimovich from comment #5)
> 3.1.0 had to be reinstated for bug #717610

Ah, thanks.
Comment 7 Larry the Git Cow gentoo-dev 2020-05-17 09:33:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7d448666bf391567ce16b2c394edbb753ad0386

commit e7d448666bf391567ce16b2c394edbb753ad0386
Author:     Sergei Trofimovich <slyfox@gentoo.org>
AuthorDate: 2020-05-17 09:33:19 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2020-05-17 09:33:35 +0000

    sys-libs/newlib: drop old, bug #713284
    
    Bug: https://bugs.gentoo.org/713284
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

 sys-libs/newlib/Manifest            |   1 -
 sys-libs/newlib/newlib-3.1.0.ebuild | 141 ------------------------------------
 2 files changed, 142 deletions(-)