Lucene search

Ubuntu.comUB:CVE-2023-4039

HistorySep 12, 2023 - 12:00 a.m.

CVE-2023-4039

2023-09-1200:00:00

ubuntu.com

buffer overflow

stack-protector

gcc

aarch64

exploit

buffer

overflow

availability

confidentiality

integrity

hardening

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

5.5 Medium

AI Score

Confidence

High

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:P/A:N

0.0005 Low

EPSS

Percentile

15.9%

JSON

DISPUTEDA failure in the -fstack-protector feature in GCC-based
toolchains that target AArch64 allows an attacker to exploit an existing
buffer overflow in dynamically-sized local variables in your application
without this being detected. This stack-protector failure only applies to
C99-style dynamically-sized local variables or those created using
alloca(). The stack-protector operates as intended for statically-sized
local variables. The default behavior when the stack-protector detects an
overflow is to terminate your application, resulting in controlled loss of
availability. An attacker who can exploit a buffer overflow without
triggering the stack-protector might be able to change program flow control
to cause an uncontrolled loss of availability or to go further and affect
confidentiality or integrity. NOTE: The GCC project argues that this is a
missed hardening bug and not a vulnerability by itself.

Notes

Author	Note
sbeattie	gcc-3.3 only provides libstdc++5
alexmurray	patches are expected to be provided for upstream versions 11, 12, 13 and trunk Any possible package on arm64 in Ubuntu could be affected by this and would therefore need to be recompiled by a new version of gcc containing this fix - however, performing a whole-of-archive rebuild is not feasible. It might be possible to detect which packages need to be rebuilt by looking for those with the -fstack-clash-protection mitigation via hardening-check (as since Ubuntu 20.04 LTS nearly all packages are compiled with this by default). This is still likely to be quite a large subset of the archive and still not feasible to rebuild. Instead as regular security / SRU updates are performed for packages, they will opportunistically receive this fix.
sbeattie	14.04 LTS (trusty) Pro Infra and 16.04 LTS (xenial) Pro Infra do not support Arm64 as an architecture.

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchgcc-10< anyUNKNOWN
ubuntu22.04noarchgcc-10< anyUNKNOWN
ubuntu23.10noarchgcc-10< anyUNKNOWN
ubuntu24.04noarchgcc-10< anyUNKNOWN
ubuntu20.04noarchgcc-10-cross< anyUNKNOWN
ubuntu22.04noarchgcc-10-cross< anyUNKNOWN
ubuntu23.10noarchgcc-10-cross< anyUNKNOWN
ubuntu24.04noarchgcc-10-cross< anyUNKNOWN
ubuntu20.04noarchgcc-10-cross-mipsen< anyUNKNOWN
ubuntu22.04noarchgcc-10-cross-mipsen< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	gcc-10	< any	UNKNOWN
ubuntu	22.04	noarch	gcc-10	< any	UNKNOWN
ubuntu	23.10	noarch	gcc-10	< any	UNKNOWN
ubuntu	24.04	noarch	gcc-10	< any	UNKNOWN
ubuntu	20.04	noarch	gcc-10-cross	< any	UNKNOWN
ubuntu	22.04	noarch	gcc-10-cross	< any	UNKNOWN
ubuntu	23.10	noarch	gcc-10-cross	< any	UNKNOWN
ubuntu	24.04	noarch	gcc-10-cross	< any	UNKNOWN
ubuntu	20.04	noarch	gcc-10-cross-mipsen	< any	UNKNOWN
ubuntu	22.04	noarch	gcc-10-cross-mipsen	< any	UNKNOWN