Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717058 (CVE-2020-6096) - <sys-libs/glibc-2.31-r6: Signed comparison vulnerability in the ARMv7 memcpy() (CVE-2020-6096)
Summary: <sys-libs/glibc-2.31-r6: Signed comparison vulnerability in the ARMv7 memcpy(...
Status: RESOLVED FIXED
Alias: CVE-2020-6096
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A3 [glsa+ cve]
Keywords:
Depends on: glibc-2.31-stable
Blocks:
  Show dependency tree
 
Reported: 2020-04-11 11:42 UTC by Sam James
Modified: 2021-01-25 00:05 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-11 11:42:58 UTC
Description:
"An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data."

It's not not clear that upstream actually agree it's a security bug. 
They have not formally disputed the CVE though.
Comment 1 tt_1 2020-05-15 12:31:52 UTC
this got fixed upstream by these two commits: 

https://sourceware.org/git/?p=glibc.git;a=patch;h=eec0f4218cda936a6ab8f543e90b96b196df3fc2
https://sourceware.org/git/?p=glibc.git;a=patch;h=eca1b233322914d9013f3ee4aabecaadc9245abd

found via https://sourceware.org/bugzilla/show_bug.cgi?id=25620#c25

they apply to glibc-2.30-r8 , but I could imagine glibc-2.31-r3 being the better place to backport this since 2.30 is already stable
Comment 2 Alexander Tsoy 2020-07-16 09:38:31 UTC
(In reply to tt_1 from comment #1)
> this got fixed upstream by these two commits: 
These commits only added tests. The vulnerability was really fixed only recently:
https://sourceware.org/bugzilla/show_bug.cgi?id=25620#c27
Comment 3 tt_1 2020-07-18 16:07:17 UTC
this got fixed in glibc-2.31 patchset8:

sys-libs/glibc: 2.31 bump to patchset 8, finally stable candidate

* arm: fix for CVE-2020-6096
* en_US: minimize changes to date_fmt (backport from 2.32)
* x86-64: fix avx2 strncmp offset compare condition check
* ia64: fix miscompilation on gcc-10
Comment 4 Sam James archtester gentoo-dev Security 2020-07-18 16:27:41 UTC
Thanks both.
Comment 5 Larry the Git Cow gentoo-dev 2020-10-30 19:29:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25382c826776a6af264da6af0153022bc30487ff

commit 25382c826776a6af264da6af0153022bc30487ff
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2020-10-30 19:27:56 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2020-10-30 19:29:02 +0000

    package.mask: extend glibc mask to <2.31-r6
    
    Bug: https://bugs.gentoo.org/717058
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 profiles/package.mask | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 Andreas K. Hüttel gentoo-dev 2020-10-30 19:30:01 UTC
All masked. Security please proceed. No cleanup.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2021-01-25 00:05:58 UTC
This issue was resolved and addressed in
 GLSA 202101-20 at https://security.gentoo.org/glsa/202101-20
by GLSA coordinator Aaron Bauman (b-man).