diff mbox

Add NEWS entry for CVE-2020-10029 (bug 25487)

Message ID 20200304213604.97558-1-aurelien@aurel32.net
State New
Headers show

Commit Message

Aurelien Jarno March 4, 2020, 9:36 p.m. UTC
---
 NEWS | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

From what I understand, part of the NEWS file is filled automatically
just before releases, but it's not the case for the security related
changes. In any case we need to provide one when backporting the patch
to other branches, so here is a proposal below.

Comments

Florian Weimer March 5, 2020, 11:14 a.m. UTC | #1
* Aurelien Jarno:

> From what I understand, part of the NEWS file is filled automatically
> just before releases, but it's not the case for the security related
> changes. In any case we need to provide one when backporting the patch
> to other branches, so here is a proposal below.

Yes, thanks for doing that.  I didn't get around to it yesterday.

> diff --git a/NEWS b/NEWS
> index 77631ca7071..4623984d36d 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -21,7 +21,9 @@ Changes to build and runtime requirements:
>  
>  Security related changes:
>  
> -  [Add security related changes here]
> +  CVE-2020-10029: The sinl function on x86 targets suffered from stack
> +  corruption when it was passed a pseudo-zero argument.  Reported by
> +  Guido Vranken.

As far as I know, this is not restricted to sinl, any function which
performs range reduction is affected.

Guido should comment on the attribution.  I strongly prefer crediting
people, not organizations, but other glibc developers do not share my
reservations in this area.

Thanks,
Florian
diff mbox

Patch

diff --git a/NEWS b/NEWS
index 77631ca7071..4623984d36d 100644
--- a/NEWS
+++ b/NEWS
@@ -21,7 +21,9 @@  Changes to build and runtime requirements:
 
 Security related changes:
 
-  [Add security related changes here]
+  CVE-2020-10029: The sinl function on x86 targets suffered from stack
+  corruption when it was passed a pseudo-zero argument.  Reported by
+  Guido Vranken.
 
 The following bugs are resolved with this release: