Bug 1737445 (CVE-2019-1010025)

Summary: CVE-2019-1010025 glibc: information disclosure of heap addresses of pthread_created thread
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aoliva, arjun, ashankar, codonell, dj, fweimer, glibc-bugzilla, law, mfabian, mnewsome, pfrankli, rth, siddhesh, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-07 01:18:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1737446    
Bug Blocks: 1737447    

Description Dhananjay Arunesh 2019-08-05 11:30:46 UTC 
GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may
guess the heap addresses of pthread_created thread. The component is: glibc.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=22853
Comment 1 Dhananjay Arunesh 2019-08-05 11:31:11 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1737446]
Comment 3 Marco Benatto 2019-08-06 21:43:15 UTC 
The information disclosure mentioned by CVE-2019-1010025 is not considered a vulnerability and its fix should be considered a hardening instead.
Although it's possible to eventually leak the thread heap's address by passing the ASLR mechanism, this bug is not exploitable by itself. An attack can not use this directly to perform any unexpected action, although this can be used to exploit any other unrelated software which consumes glibc's pthread API.
Comment 4 Marco Benatto 2019-08-06 21:49:21 UTC 
Statement:

This is does not affect the package glibc as shipped with Red Hat Enterprise Linux 5, 6,7 and 8. The bug related to this CVE is not exploitable.
Comment 5 Product Security DevOps Team 2019-08-07 01:18:18 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1010025