Bug 1731964 (CVE-2019-1010022)

Summary: CVE-2019-1010022 glibc: stack guard protection bypass
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aoliva, arjun.is, ashankar, codonell, dj, fweimer, glibc-bugzilla, huzaifas, law, mfabian, mnewsome, pfrankli, rth, siddhesh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-23 04:03:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1546607, 1731965    
Bug Blocks: 1731971    

Description msiddiqu 2019-07-22 12:43:35 UTC
GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. 
 
References:  

https://sourceware.org/bugzilla/show_bug.cgi?id=22850

Comment 1 msiddiqu 2019-07-22 12:43:50 UTC
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1731965]

Comment 2 Huzaifa S. Sidhpurwala 2019-07-24 05:43:34 UTC
As per upstream (https://sourceware.org/bugzilla/show_bug.cgi?id=22850#c1), this is a known flaw in the way stack canaries are implemented in by glibc. Proposed solutions include moving the TCB structure away from the stack and/or generating a new canary for each new thread, both of these changes are intrusive since they have an impact on the core structures and algorithms.

Red Hat packages may be updated, once patches land upstream.

This flaw has been marked as having Moderate impact because stack canaries are essentially a post-attack mitigation. Therefore this is not really a security flaw in glibc.