[gentoo-announce] [ GLSA 202003-13 ] musl: Stack-based buffer overflow - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202003-13 ] musl: Stack-based buffer overflow
Date:	Sat, 14 Mar 2020 16:38:47
Message-Id:	`ecf0aba9-6273-3815-3bf1-6723ee9bed9b@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202003-13

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: musl: Stack-based buffer overflow

9

     Date: March 14, 2020

10

     Bugs: #711276

11

       ID: 202003-13

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A stack-based buffer overflow in musl might allow an attacker to have

19

an application dependent impact.

20

21

Background

22

==========

23

24

musl is an implementation of the C standard library built on top of the

25

Linux system call API, including interfaces defined in the base

26

language standard, POSIX, and widely agreed-upon extensions.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package              /     Vulnerable     /            Unaffected

33

    -------------------------------------------------------------------

34

  1  sys-libs/musl                < 1.1.24                  >= 1.1.24

35

36

Description

37

===========

38

39

A flaw in musl libc's arch-specific math assembly code for i386 was

40

found which can lead to x87 stack overflow in the execution of

41

subsequent math code.

42

43

Impact

44

======

45

46

Impact depends on how the application built against musl libc handles

47

the ABI-violating x87 state.

48

49

Workaround

50

==========

51

52

There is no known workaround at this time.

53

54

Resolution

55

==========

56

57

All musl users should upgrade to the latest version:

58

59

  # emerge --sync

60

  # emerge --ask --oneshot --verbose ">=sys-libs/musl-1.1.24"

61

62

References

63

==========

64

65

[ 1 ] CVE-2019-14697

66

      https://nvd.nist.gov/vuln/detail/CVE-2019-14697

67

68

Availability

69

============

70

71

This GLSA and any updates to it are available for viewing at

72

the Gentoo Security Website:

73

74

 https://security.gentoo.org/glsa/202003-13

75

76

Concerns?

77

=========

78

79

Security is a primary focus of Gentoo Linux and ensuring the

80

confidentiality and security of our users' machines is of utmost

81

importance to us. Any security concerns should be addressed to

82

security@g.o or alternatively, you may file a bug at

83

https://bugs.gentoo.org.

84

85

License

86

=======

87

88

Copyright 2020 Gentoo Foundation, Inc; referenced text

89

belongs to its owner(s).

90

91

The contents of this document are licensed under the

92

Creative Commons - Attribution / Share Alike license.

93

94

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202003-13
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: musl: Stack-based buffer overflow
9	Date: March 14, 2020
10	Bugs: #711276
11	ID: 202003-13
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A stack-based buffer overflow in musl might allow an attacker to have
19	an application dependent impact.
20
21	Background
22	==========
23
24	musl is an implementation of the C standard library built on top of the
25	Linux system call API, including interfaces defined in the base
26	language standard, POSIX, and widely agreed-upon extensions.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 sys-libs/musl < 1.1.24 >= 1.1.24
35
36	Description
37	===========
38
39	A flaw in musl libc's arch-specific math assembly code for i386 was
40	found which can lead to x87 stack overflow in the execution of
41	subsequent math code.
42
43	Impact
44	======
45
46	Impact depends on how the application built against musl libc handles
47	the ABI-violating x87 state.
48
49	Workaround
50	==========
51
52	There is no known workaround at this time.
53
54	Resolution
55	==========
56
57	All musl users should upgrade to the latest version:
58
59	# emerge --sync
60	# emerge --ask --oneshot --verbose ">=sys-libs/musl-1.1.24"
61
62	References
63	==========
64
65	[ 1 ] CVE-2019-14697
66	https://nvd.nist.gov/vuln/detail/CVE-2019-14697
67
68	Availability
69	============
70
71	This GLSA and any updates to it are available for viewing at
72	the Gentoo Security Website:
73
74	https://security.gentoo.org/glsa/202003-13
75
76	Concerns?
77	=========
78
79	Security is a primary focus of Gentoo Linux and ensuring the
80	confidentiality and security of our users' machines is of utmost
81	importance to us. Any security concerns should be addressed to
82	security@g.o or alternatively, you may file a bug at
83	https://bugs.gentoo.org.
84
85	License
86	=======
87
88	Copyright 2020 Gentoo Foundation, Inc; referenced text
89	belongs to its owner(s).
90
91	The contents of this document are licensed under the
92	Creative Commons - Attribution / Share Alike license.
93
94	https://creativecommons.org/licenses/by-sa/2.5