Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717058 (CVE-2020-6096) - sys-libs/glibc: Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)
Summary: sys-libs/glibc: Signed comparison vulnerability in the ARMv7 memcpy() (CVE-20...
Status: IN_PROGRESS
Alias: CVE-2020-6096
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: B3 [upstream cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-11 11:42 UTC by Sam James
Modified: 2020-05-22 14:45 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James gentoo-dev Security 2020-04-11 11:42:58 UTC
Description:
"An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data."

It's not not clear that upstream actually agree it's a security bug. 
They have not formally disputed the CVE though.
Comment 1 tt_1 2020-05-15 12:31:52 UTC
this got fixed upstream by these two commits: 

https://sourceware.org/git/?p=glibc.git;a=patch;h=eec0f4218cda936a6ab8f543e90b96b196df3fc2
https://sourceware.org/git/?p=glibc.git;a=patch;h=eca1b233322914d9013f3ee4aabecaadc9245abd

found via https://sourceware.org/bugzilla/show_bug.cgi?id=25620#c25

they apply to glibc-2.30-r8 , but I could imagine glibc-2.31-r3 being the better place to backport this since 2.30 is already stable