Bug 1773927 (CVE-2019-1010024)

Summary: CVE-2019-1010024 glibc: ASLR bypass using cache of thread stack and heap
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aoliva, arjun.is, ashankar, bdettelb, codonell, dj, fweimer, glibc-bugzilla, jschorr, law, mfabian, mnewsome, pfrankli, rth, siddhesh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-19 11:17:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1773928    
Bug Blocks: 1773929    

Description msiddiqu 2019-11-19 10:55:53 UTC 
GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc.

References:  

http://www.securityfocus.com/bid/109162
https://sourceware.org/bugzilla/show_bug.cgi?id=22852
https://support.f5.com/csp/article/K06046097
https://security-tracker.debian.org/tracker/CVE-2019-1010024
Comment 1 msiddiqu 2019-11-19 10:56:26 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1773928]
Comment 2 Florian Weimer 2019-11-19 11:17:16 UTC 
Not a security vulnerability. We need to reuse thread stacks for performance reasons.
Comment 3 Riccardo Schirone 2019-11-20 10:31:18 UTC 
This is not a security vulnerability, but just a way to exploit a program that uses pthread_create. This requires an already vulnerable application with an attacker that has already compromised it. The attacker would need to have a way to leak an address in the stack/heap of a thread and a primitive to write data there (e.g. buffer overflow). This could be considered just hardening, as said in the upstream bug.