製品・ソフトウェアに関する情報

JVN脆弱性詳細

newlib における古典的バッファオーバーフローの脆弱性

Title	newlib における古典的バッファオーバーフローの脆弱性
Summary	newlib には、古典的バッファオーバーフローの脆弱性、および整数オーバーフローの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 2, 2021, midnight
Registration Date	Nov. 18, 2021, 4:24 p.m.
Last Update	Nov. 18, 2021, 4:24 p.m.

Affected System

newlib project

newlib 4.0.0 未満

Fedora Project

Fedora

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-3420	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3420
National Vulnerability Database (NVD)
2	CVE-2021-3420	https://nvd.nist.gov/vuln/detail/CVE-2021-3420

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-120	https://cwe.mitre.org/data/definitions/120.html
2	CWE-190	https://cwe.mitre.org/data/definitions/190.html

ベンダー情報

No	Name	URL
Fedora Update Notification
1	FEDORA-2021-0fa2f42d3c	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AMK54N6UOPBFFX2YT32TWSAEFTHGSKAA/
2	FEDORA-2021-267c08cc40	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LSQZEUANAWBBAOC4TF5PTPJVLMUR7SFD/
3	FEDORA-2021-332fb9c796	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEBF6YHWFNCBW5A2ENSQ3Z56ELF4MTRE/
sourceware.org
4	malloc/nano-malloc: correctly check for out-of-bounds allocation reqs	https://sourceware.org/git/?p=newlib-cygwin.git;a=commit;h=aa106b29a6a8a1b0df9e334704292cbc32f2d44e

その他

No	Name	URL
関連文書
1	Bug 1934088 (CVE-2021-3420) - CVE-2021-3420 newlib: improper validation in memory allocation functions could lead to heap-based buffer overflow	https://bugzilla.redhat.com/show_bug.cgi?id=1934088

Change Log

No	Changed Details	Date of change
1	[2021年11月18日] 掲載	Nov. 18, 2021, 4:24 p.m.

NVD Vulnerability Information

CVE-2021-3420

Summary	A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.
Publication Date	March 6, 2021, 6:15 a.m.
Registration Date	March 6, 2021, 10:03 a.m.
Last Update	Nov. 21, 2024, 3:21 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:newlib_project:newlib::::::::					4.0.0

Related information, measures and tools

No	URL	タグ
1	https://bugzilla.redhat.com/show_bug.cgi?id=1934088	Broken Link Issue Tracking Patch Third Party Advisory
2	https://bugzilla.redhat.com/show_bug.cgi?id=1934088	Broken Link Issue Tracking Patch Third Party Advisory
3	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AEBF6YHWFNCBW5A2ENSQ3Z56ELF4MTRE/
4	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AEBF6YHWFNCBW5A2ENSQ3Z56ELF4MTRE/
5	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AMK54N6UOPBFFX2YT32TWSAEFTHGSKAA/
6	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AMK54N6UOPBFFX2YT32TWSAEFTHGSKAA/
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQZEUANAWBBAOC4TF5PTPJVLMUR7SFD/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LSQZEUANAWBBAOC4TF5PTPJVLMUR7SFD/

Common Vulnerabilities List