CVE-2020-6096

Priority
Description
An exploitable signed comparison vulnerability exists in the ARMv7 memcpy()
implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets
that utilize the GNU glibc implementation) with a negative value for the
'num' parameter results in a signed comparison vulnerability. If an
attacker underflows the 'num' parameter to memcpy(), this vulnerability
could lead to undefined behavior such as writing to out-of-bounds memory
and potentially remote code execution. Furthermore, this memcpy()
implementation allows for program execution to continue in scenarios where
a segmentation fault or crash should have occurred. The dangers occur in
that subsequent execution and iterations of this code will be executed with
this corrupted data.
Notes
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.10 (Eoan Ermine):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
Package
Source: glibc (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.10 (Eoan Ermine):needs-triage
Ubuntu 20.04 LTS (Focal Fossa):needs-triage
Ubuntu 20.10 (Groovy Gorilla):needs-triage
More Information

Updated: 2020-04-29 19:14:34 UTC (commit bd6a073bfafc38621ce8c443b88e12892f0b4449)