[PATCH] Add NEWS entry for CVE-2020-6096 (bug 25620)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] Add NEWS entry for CVE-2020-6096 (bug 25620)

Aurelien Jarno
---
 NEWS | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/NEWS b/NEWS
index 92dcb77fef0..cd8a46fdc71 100644
--- a/NEWS
+++ b/NEWS
@@ -159,6 +159,9 @@ Security related changes:
   CVE-2020-1752: A use-after-free vulnerability in the glob function when
   expanding ~user has been fixed.
 
+  CVE-2020-6096: A signed comparison vulnerability in the ARMv7 memcpy and
+  memmove functions has been fixed.
+
 The following bugs are resolved with this release:
 
   [The release manager will add the list generated by
--
2.27.0

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Add NEWS entry for CVE-2020-6096 (bug 25620)

Florian Weimer
* Aurelien Jarno:

> +  CVE-2020-6096: A signed comparison vulnerability in the ARMv7 memcpy and
> +  memmove functions has been fixed.

Should we mention the reporter?

Please also remove the XFAIL added in commit
eca1b233322914d9013f3ee4aabecaadc9245abd.  Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Add NEWS entry for CVE-2020-6096 (bug 25620)

Sourceware - libc-alpha mailing list
On 7/12/20 4:46 PM, Florian Weimer wrote:

> * Aurelien Jarno:
>
>> +  CVE-2020-6096: A signed comparison vulnerability in the ARMv7 memcpy and
>> +  memmove functions has been fixed.
>
> Should we mention the reporter?
>
> Please also remove the XFAIL added in commit
> eca1b233322914d9013f3ee4aabecaadc9245abd.  Thanks.
>

Yes, we should mention the reporter. Please and thank you.

The "Credit" in the Talos report says:
~~~
Discovered by Jason Royes of Cisco Security Assessment and Penetration Team.  
Discovered by Samuel Dytrych of Cisco Security Assessment and Penetration Team.
~~~

Thus I think it would be good to list:
"Discovered by Jason Royes and Samual Dytrych of the
Cisco Security Assessment and Penetration Team (See TALOS-2020-1019).

If you look here you can see similar credit:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1019

--
Cheers,
Carlos.