Bug 1183172 (CVE-2021-3420)

Summary: VUL-0: CVE-2021-3420: newlib: improper validation in memory allocation functions could lead to heap-based buffer overflow
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: BasesystemAssignee: Richard Biener <rguenther>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: ahmedsayeed1982
Version: Leap 15.2   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/278917/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2021-03-08 13:12:09 UTC
rh#1934088

A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.

Reference and upstream patch:
https://sourceware.org/git/?p=newlib-cygwin.git;a=commit;h=aa106b29a6a8a1b0df9e334704292cbc32f2d44e

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1934088
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3420
Comment 1 OBSbugzilla Bot 2021-03-08 15:40:26 UTC
This is an autogenerated message for OBS integration:
This bug (1183172) was mentioned in
https://build.opensuse.org/request/show/877766 Factory / newlib
Comment 2 Richard Biener 2021-03-09 07:18:19 UTC
We're not using newlib for anything with what could be remotely viewed as attack surface.  newlib is not on SLE (well, it's part of nvptx/gcn offloading support in the toolchain module), not sure why Leap contains it.  Not sure what the process is to update relevant parts from Factory there at this point.

I'd say it's not worth worrying and thus, fixed.
Comment 3 Ahmed Sayeed 2021-10-13 16:58:06 UTC
file=0xe346e0 "/home/vries/gdb_versions/devel/src/gdb/infrun.c", line=6384, 
    fmt=0xe34269 "%s: Assertion `%s' failed.", ap=0x7fffffffcb98) https://www.webb-dev.co.uk/sports/gym-during-covid/
    at /home/vries/gdb_versions/devel/src/gdb/utils.c:414
#4  0x0000000000a9c2e2 in internal_verror ( http://www.compilatori.com/health/covid-and-tech/
    file=0xe346e0 "/home/vries/gdb_versions/devel/src/gdb/infrun.c", line=6384, 
    fmt=0xe34269 "%s: Assertion `%s' failed.", ap=0x7fffffffcb98) http://www.acpirateradio.co.uk/health/covid-and-tech/
    at /home/vries/gdb_versions/devel/src/gdb/utils.c:439
#5  0x0000000000d39725 in internal_error ( http://www.logoarts.co.uk/health/covid-and-tech/
    file=0xe346e0 "/home/vries/gdb_versions/devel/src/gdb/infrun.c", line=6384, 
    fmt=0xe34269 "%s: Assertion `%s' failed.")
    at /home/vries/gdb_versions/devel/src/gdbsupport/errors.cc:55 http://www.slipstone.co.uk/health/covid-and-tech/ 
#6  0x000000000074b047 in process_event_stop_test (ecs=0x7fffffffd270)
    at /home/vries/gdb_versions/devel/src/gdb/infrun.c:6383 http://embermanchester.uk/health/covid-and-tech/ 
#7  0x000000000074ad3b in handle_signal_stop (ecs=0x7fffffffd270)
    at /home/vries/gdb_versions/devel/src/gdb/infrun.c:6277
#8  0x0000000000749232 in handle_inferior_event (ecs=0x7fffffffd270)
    at /home/vries/gdb_versions/devel/src/gdb/infrun.c:5530 http://connstr.net/health/covid-and-tech/ 
#9  0x00000000007456e4 in fetch_inferior_event ()
    at /home/vries/gdb_versions/devel/src/gdb/infrun.c:3912
#10 0x000000000072af38 in inferior_event_handler http://joerg.li/health/covid-and-tech/  (event_type=INF_REG_EVENT)
    at /home/vries/gdb_versions/devel/src/gdb/inf-loop.c:42
#11 0x000000000078584c in handle_target_event (error=0, client_data=0x0)
    at /home/vries/gdb_versions/devel/src/gdb/linux-nat.c:4060 http://www.jopspeech.com/health/covid-and-tech/ 
#12 0x0000000000d3a447 in handle_file_event (file_ptr=0x56c3aa0, ready_mask=1)
    at /home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:575
#13 0x0000000000d3a9cf in gdb_wait_for_event (block=0) http://www.wearelondonmade.com/health/covid-and-tech/ 
    at /home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:701
#14 0x0000000000d39859 in gdb_do_one_event ()
    at /home/vries/gdb_versions/devel/src/gdbsupport/event-loop.cc:212 https://waytowhatsnext.com/sports/asian-sports/ 
#15 0x0000000000a26343 in wait_sync_command_done ()
    at /home/vries/gdb_versions/devel/src/gdb/top.c:526 http://www.iu-bloomington.com/sports/honda-civic/ 
#16 0x0000000000a263bb in maybe_wait_sync_command_done (was_sync=0)
    at /home/vries/gdb_versions/devel/src/gdb/top.c:543 https://komiya-dental.com/sports/telegram/ 
#17 0x0000000000a26953 in execute_command (p=0x7fffffffe15d "", from_tty=0)
    at /home/vries/gdb_versions/devel/src/gdb/top.c:670 http://www-look-4.com/health/covid-and-tech/ 
#18 0x00000000007ae648 in catch_command_errors (
    command=0xa263d4 <execute_command(char const*, int)>  , arg=0x7fffffffe15c "n", from_tty=0)