4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
5.5 Medium
AI Score
Confidence
High
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
0.0005 Low
EPSS
Percentile
15.9%
DISPUTEDA failure in the -fstack-protector feature in GCC-based
toolchains that target AArch64 allows an attacker to exploit an existing
buffer overflow in dynamically-sized local variables in your application
without this being detected. This stack-protector failure only applies to
C99-style dynamically-sized local variables or those created using
alloca(). The stack-protector operates as intended for statically-sized
local variables. The default behavior when the stack-protector detects an
overflow is to terminate your application, resulting in controlled loss of
availability. An attacker who can exploit a buffer overflow without
triggering the stack-protector might be able to change program flow control
to cause an uncontrolled loss of availability or to go further and affect
confidentiality or integrity. NOTE: The GCC project argues that this is a
missed hardening bug and not a vulnerability by itself.
Author | Note |
---|---|
sbeattie | gcc-3.3 only provides libstdc++5 |
alexmurray | patches are expected to be provided for upstream versions 11, 12, 13 and trunk Any possible package on arm64 in Ubuntu could be affected by this and would therefore need to be recompiled by a new version of gcc containing this fix - however, performing a whole-of-archive rebuild is not feasible. It might be possible to detect which packages need to be rebuilt by looking for those with the -fstack-clash-protection mitigation via hardening-check (as since Ubuntu 20.04 LTS nearly all packages are compiled with this by default). This is still likely to be quite a large subset of the archive and still not feasible to rebuild. Instead as regular security / SRU updates are performed for packages, they will opportunistically receive this fix. |
sbeattie | 14.04 LTS (trusty) Pro Infra and 16.04 LTS (xenial) Pro Infra do not support Arm64 as an architecture. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | gcc-10 | <Â any | UNKNOWN |
ubuntu | 22.04 | noarch | gcc-10 | <Â any | UNKNOWN |
ubuntu | 23.10 | noarch | gcc-10 | <Â any | UNKNOWN |
ubuntu | 24.04 | noarch | gcc-10 | <Â any | UNKNOWN |
ubuntu | 20.04 | noarch | gcc-10-cross | <Â any | UNKNOWN |
ubuntu | 22.04 | noarch | gcc-10-cross | <Â any | UNKNOWN |
ubuntu | 23.10 | noarch | gcc-10-cross | <Â any | UNKNOWN |
ubuntu | 24.04 | noarch | gcc-10-cross | <Â any | UNKNOWN |
ubuntu | 20.04 | noarch | gcc-10-cross-mipsen | <Â any | UNKNOWN |
ubuntu | 22.04 | noarch | gcc-10-cross-mipsen | <Â any | UNKNOWN |
developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
launchpad.net/bugs/cve/CVE-2023-4039
nvd.nist.gov/vuln/detail/CVE-2023-4039
rtx.meta.security/mitigation/2023/09/12/CVE-2023-4039.html
security-tracker.debian.org/tracker/CVE-2023-4039
www.cve.org/CVERecord?id=CVE-2023-4039
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
5.5 Medium
AI Score
Confidence
High
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:P/A:N
0.0005 Low
EPSS
Percentile
15.9%