oss-sec mailing list archives
CVE-2016-4973 gcc: Targets using libssp for SSP are missing -D_FORTIFY_SOURCE functionality
From: Cedric Buissart <cbuissar () redhat com>
Date: Wed, 17 Aug 2016 18:03:05 +0200
Hi, This is to disclose the following CVE: CVE-2016-4973 gcc: Targets using libssp for SSP are missing -D_FORTIFY_SOURCE functionality It was found that targets using gcc's libssp library for Stack Smashing Protection (among others: Cygwin, MinGW, newlib, RTEMS; but not Glibc, Bionic, NetBSD which provide SSP in libc), are missing the Object Size Checking feature, even when explicitly requested with _FORTIFY_SOURCE. Vulnerable binaries compiled against such targets do not benefit of such protection, increasing the chances of success of a buffer overflow attack. There is currently no upstream patch. Discussions on the subject & patch proposal can be found in the Red Hat corresponding bugzilla : https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4973 Impact: Low CVSSv3 scoring : 3.6 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Note regarding the scoring : only the GCC flaw was taken into account, not its potential combination with a flaw in an affected binary. The flaw was reported by Yaakov Selkowitz (Red Hat) Best regards, Cedric -- Cedric Buissart, Product Security
Current thread:
- CVE-2016-4973 gcc: Targets using libssp for SSP are missing -D_FORTIFY_SOURCE functionality Cedric Buissart (Aug 17)