Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719472 (CVE-2019-6488) - <sys-libs/glibc-2.29: Possible denial of service (CVE-2019-6488)
Summary: <sys-libs/glibc-2.29: Possible denial of service (CVE-2019-6488)
Status: RESOLVED FIXED
Alias: CVE-2019-6488
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-26 01:17 UTC by GLSAMaker/CVETool Bot
Modified: 2020-06-13 01:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-26 01:17:23 UTC
CVE-2019-6488 (https://nvd.nist.gov/vuln/detail/CVE-2019-6488):
  The string component in the GNU C Library (aka glibc or libc6) through 2.28,
  when running on the x32 architecture, incorrectly attempts to use a 64-bit
  register for size_t in assembly codes, which can lead to a segmentation
  fault or possibly unspecified other impact, as demonstrated by a crash in
  __memmove_avx_unaligned_erms in
  sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S during a memcpy.
Comment 1 Sam James gentoo-dev Security 2020-04-26 01:19:58 UTC
@maintainer(s), please let us know what patchset this was fixed in (if at all) for 2.28.
Comment 2 Sergei Trofimovich gentoo-dev 2020-04-26 08:56:53 UTC
That is a https://sourceware.org/PR24097. I don't think gentoo has a fix in 2.28.

Does it matter? 2.28 is masked in gentoo.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2020-05-22 00:59:22 UTC
As per upstream:

__________________________

H.J. Lu 2019-01-22 03:52:25 UTC
Fixed for 2.29:

commit 5165de69c0908e28a380cbd4bb054e55ea4abc95
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Mon Jan 21 11:36:36 2019 -0800

    x86-64 strnlen/wcsnlen: Properly handle the length parameter [BZ# 24097]

_________________________________________________

2.29 has been masked in tree.
Added to an existing GLSA Request.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-06-13 01:05:28 UTC
This issue was resolved and addressed in
 GLSA 202006-04 at https://security.gentoo.org/glsa/202006-04
by GLSA coordinator Aaron Bauman (b-man).