** Description changed: - See - https://launchpad.net/ubuntu/+source/gcc-10/10.5.0-3ubuntu1/+build/27746786/+files/buildlog_ubuntu- - noble-arm64.gcc-10_10.5.0-3ubuntu1_BUILDING.txt.gz + [Impact] + + Some gcc versions in Jammy and Focal are still + vulnerable to the arm64-specific CVE-2023-4039 + (-fstack-protector guard failures with dynamic + stack allocations). + + This impacts detecting, e.g., buffer overflows, + resulting in less secure Ubuntu arm64 packages. + + [Test Plan] + + Use the test-case in the vulnerability post [1], + as in comments #20 and #21. + + Without patches, the test fails with Bus Error + and a register value modified by the program. + + With the patches, the test fails with Aborted + (buffer overflow detected) and register value + unmodified. + + [1] https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html + + [Regression Potential] + + The patchset modifies arm64-specific code gen, + therefore any arm64 program might be affected, + while other architectures should not. + + That is, signs of regressions from this would + manifest as errors seen only in arm64 programs + but not in other architectures. + + Potential fallout is expected to occur early + and/or with dynamic allocations in the stack, + and could manifest in different, subtle ways. + + That is concerning, however, fortunately this + patchset has been introduced for a while now + in the _same gcc versions_ in _newer_ series. + + That gives confidence to SRU the _same_ change + to the _same_ gcc versions (to _older_ series). + + [Other Info] + + - gcc-14: fixed in Noble/Oracular (comment #22) + - gcc-13: fixed in Noble/Oracular (comment #23) + - gcc-12: fixed in Noble/Oracular, NOT in Jammy (comment #13) + - gcc-11: fixed in Noble/Oracular, NOT in Jammy (comment #14) + - gcc-10: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #15) + - gcc-9: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #16) + + The fix for gcc-9/Focal FTBFS due to an Ada-related check. + For the moment, it's not going to be pursued/analyzed more + as agreed with the original reporter (sufficient for them). + If others need it, please reopen and analyze/fix the error. + + [Original Bug Description] + See https://launchpad.net/ubuntu/+source/gcc-10/10.5.0-3ubuntu1/+build/27746786/+files/buildlog_ubuntu-noble-arm64.gcc-10_10.5.0-3ubuntu1_BUILDING.txt.gz The above build is supposed to address https://nvd.nist.gov/vuln/detail/CVE-2023-4039
** Description changed: [Impact] Some gcc versions in Jammy and Focal are still vulnerable to the arm64-specific CVE-2023-4039 (-fstack-protector guard failures with dynamic stack allocations). This impacts detecting, e.g., buffer overflows, - resulting in less secure Ubuntu arm64 packages. + resulting in less secure Ubuntu arm64 packages + and user-built binaries. [Test Plan] Use the test-case in the vulnerability post [1], as in comments #20 and #21. Without patches, the test fails with Bus Error and a register value modified by the program. With the patches, the test fails with Aborted (buffer overflow detected) and register value unmodified. [1] https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html [Regression Potential] The patchset modifies arm64-specific code gen, therefore any arm64 program might be affected, while other architectures should not. That is, signs of regressions from this would manifest as errors seen only in arm64 programs but not in other architectures. Potential fallout is expected to occur early and/or with dynamic allocations in the stack, and could manifest in different, subtle ways. That is concerning, however, fortunately this patchset has been introduced for a while now in the _same gcc versions_ in _newer_ series. That gives confidence to SRU the _same_ change to the _same_ gcc versions (to _older_ series). [Other Info] - gcc-14: fixed in Noble/Oracular (comment #22) - gcc-13: fixed in Noble/Oracular (comment #23) - gcc-12: fixed in Noble/Oracular, NOT in Jammy (comment #13) - gcc-11: fixed in Noble/Oracular, NOT in Jammy (comment #14) - gcc-10: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #15) - gcc-9: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #16) The fix for gcc-9/Focal FTBFS due to an Ada-related check. For the moment, it's not going to be pursued/analyzed more as agreed with the original reporter (sufficient for them). If others need it, please reopen and analyze/fix the error. [Original Bug Description] See https://launchpad.net/ubuntu/+source/gcc-10/10.5.0-3ubuntu1/+build/27746786/+files/buildlog_ubuntu-noble-arm64.gcc-10_10.5.0-3ubuntu1_BUILDING.txt.gz The above build is supposed to address https://nvd.nist.gov/vuln/detail/CVE-2023-4039 ** Changed in: gcc-9 (Ubuntu Focal) Status: Triaged => Won't Fix ** Description changed: [Impact] Some gcc versions in Jammy and Focal are still vulnerable to the arm64-specific CVE-2023-4039 (-fstack-protector guard failures with dynamic stack allocations). This impacts detecting, e.g., buffer overflows, resulting in less secure Ubuntu arm64 packages and user-built binaries. [Test Plan] Use the test-case in the vulnerability post [1], as in comments #20 and #21. Without patches, the test fails with Bus Error and a register value modified by the program. With the patches, the test fails with Aborted (buffer overflow detected) and register value unmodified. [1] https://rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html [Regression Potential] The patchset modifies arm64-specific code gen, therefore any arm64 program might be affected, while other architectures should not. That is, signs of regressions from this would manifest as errors seen only in arm64 programs but not in other architectures. Potential fallout is expected to occur early and/or with dynamic allocations in the stack, and could manifest in different, subtle ways. That is concerning, however, fortunately this patchset has been introduced for a while now in the _same gcc versions_ in _newer_ series. That gives confidence to SRU the _same_ change to the _same_ gcc versions (to _older_ series). [Other Info] - gcc-14: fixed in Noble/Oracular (comment #22) - gcc-13: fixed in Noble/Oracular (comment #23) - gcc-12: fixed in Noble/Oracular, NOT in Jammy (comment #13) - gcc-11: fixed in Noble/Oracular, NOT in Jammy (comment #14) - gcc-10: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #15) - gcc-9: fixed in Noble/Oracular, NOT in Jammy/Focal (comment #16) The fix for gcc-9/Focal FTBFS due to an Ada-related check. For the moment, it's not going to be pursued/analyzed more as agreed with the original reporter (sufficient for them). If others need it, please reopen and analyze/fix the error. + For more information about the issue and patches: [2] + [2] https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64#Technical-Specifications + [Original Bug Description] See https://launchpad.net/ubuntu/+source/gcc-10/10.5.0-3ubuntu1/+build/27746786/+files/buildlog_ubuntu-noble-arm64.gcc-10_10.5.0-3ubuntu1_BUILDING.txt.gz The above build is supposed to address https://nvd.nist.gov/vuln/detail/CVE-2023-4039 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2054343 Title: CVE-2023-4039: ARM64 GCC To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gcc-10/+bug/2054343/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
