Add NEWS entry for CVE-2020-10029 (bug 25487)

Message ID	20200304213604.97558-1-aurelien@aurel32.net
State	Superseded
Headers	Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk Sender: libc-alpha-owner@sourceware.org From: Aurelien Jarno <aurelien@aurel32.net> To: libc-alpha@sourceware.org Cc: Guido Vranken <guidovranken@gmail.com>, Florian Weimer <fweimer@redhat.com>, Joseph Myers <joseph@codesourcery.com>, Aurelien Jarno <aurelien@aurel32.net> Subject: [PATCH] Add NEWS entry for CVE-2020-10029 (bug 25487) Date: Wed, 4 Mar 2020 22:36:05 +0100 Message-Id: <20200304213604.97558-1-aurelien@aurel32.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit

Message ID

20200304213604.97558-1-aurelien@aurel32.net

State

Superseded

Headers

Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
Sender: libc-alpha-owner@sourceware.org
From: Aurelien Jarno <aurelien@aurel32.net>
To: libc-alpha@sourceware.org
Cc: Guido Vranken <guidovranken@gmail.com>,
	Florian Weimer <fweimer@redhat.com>,
	Joseph Myers <joseph@codesourcery.com>,
	Aurelien Jarno <aurelien@aurel32.net>
Subject: [PATCH] Add NEWS entry for CVE-2020-10029 (bug 25487)
Date: Wed,  4 Mar 2020 22:36:05 +0100
Message-Id: <20200304213604.97558-1-aurelien@aurel32.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Commit Message

Aurelien Jarno March 4, 2020, 9:36 p.m. UTC

  ---
 NEWS | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

From what I understand, part of the NEWS file is filled automatically
just before releases, but it's not the case for the security related
changes. In any case we need to provide one when backporting the patch
to other branches, so here is a proposal below.

Comments

Florian Weimer March 5, 2020, 11:14 a.m. UTC | #1

* Aurelien Jarno:

> From what I understand, part of the NEWS file is filled automatically
> just before releases, but it's not the case for the security related
> changes. In any case we need to provide one when backporting the patch
> to other branches, so here is a proposal below.

Yes, thanks for doing that.  I didn't get around to it yesterday.

> diff --git a/NEWS b/NEWS
> index 77631ca7071..4623984d36d 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -21,7 +21,9 @@ Changes to build and runtime requirements:
>  
>  Security related changes:
>  
> -  [Add security related changes here]
> +  CVE-2020-10029: The sinl function on x86 targets suffered from stack
> +  corruption when it was passed a pseudo-zero argument.  Reported by
> +  Guido Vranken.

As far as I know, this is not restricted to sinl, any function which
performs range reduction is affected.

Guido should comment on the attribution.  I strongly prefer crediting
people, not organizations, but other glibc developers do not share my
reservations in this area.

Thanks,
Florian

diff --git a/NEWS b/NEWS
index 77631ca7071..4623984d36d 100644
--- a/NEWS
+++ b/NEWS
@@ -21,7 +21,9 @@  Changes to build and runtime requirements:
 
 Security related changes:
 
-  [Add security related changes here]
+  CVE-2020-10029: The sinl function on x86 targets suffered from stack
+  corruption when it was passed a pseudo-zero argument.  Reported by
+  Guido Vranken.
 
 The following bugs are resolved with this release:

Add NEWS entry for CVE-2020-10029 (bug 25487)

Commit Message

Comments

Patch