sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka glibc or libc6) before 2.23 on x86 targets has a stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern, as seen when passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04 value to sprintf. References: https://sourceware.org/bugzilla/show_bug.cgi?id=26649 https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html
External References: https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html
(In reply to Huzaifa S. Sidhpurwala from comment #4) > External References: > > https://sourceware.org/pipermail/libc-alpha/2020-September/117779.html FTR, that is not the fix for the issue; it is incorrect and in fact in the context of upstream, it is a nop. What fixed the problem upstream are these patches: https://sourceware.org/git/?p=glibc.git;h=d81f90ccd0109de9ed78aeeb8d86e2c6d4600690 https://sourceware.org/git/?p=glibc.git;h=8df4e219e43a4a257d0759b54fef8c488e2f282e
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0348 https://access.redhat.com/errata/RHSA-2021:0348
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-29573
Statement: This is essentially a crash which can only be triggered by a non-standard argument passed as a long double input to a member of printf family of functions. The application has to be written in this way to allow this issue to be triggered. The maximum impact is an application crash.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions Red Hat Enterprise Linux 7.4 Telco Extended Update Support Via RHSA-2021:2813 https://access.redhat.com/errata/RHSA-2021:2813
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:2998 https://access.redhat.com/errata/RHSA-2021:2998
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Via RHSA-2021:3315 https://access.redhat.com/errata/RHSA-2021:3315