Does CVE-2023-4039 affect existing binaries?

124 views Asked by At

Our security scanner reports that a docker image is vulnerable to CVE-2023-4039:

A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca()...

OpenSuse claim this vulnerability is patched but I don't understand how this can be. If the vulnerability was in the compiler's code generation, doesn't it mean that all binaries created with this compiler are vulnerable?

How can a fix to the compiler fix existing binaries? I don't think alloca creates calls to shared object files...

Our images do not have gcc installed, is patching the images required/helpful?

1

There are 1 answers

0
Uberhumus On

I'm not saying this is the case, but I will explain how this can be, as I have seen this many times in Ubuntu. Sometimes Canonical (the company making Ubuntu) didn't wait for the upstream patch. In order to signify that they would add a suffix to the version. For example "bash 5.1-6" would become "bash 5.1-6ubuntu1". Our vulnerability scanner would see that the version is unpatched because it was still 5.1-6 and report the vulnerability as it was unfamiliar with Canonicals notation. I would check if the version in the container is not identical to the vulnerable version.

In the bottom advisory from the link above Suse state what they did to mitigate it and the version number for the updated libraries looks like it was patched without waiting for the upstream.

As you did not specify what specific container is your base image, I can't show the specific version, but for example in "SUSE Linux Enterprise Micro for Rancher 5.2" (Arbitrarily picked as it is last) the versions of GCC and co. are:

  • libstdc++6-13.2.1+git7813-150000.1.3.3
  • libgcc_s1-debuginfo-13.2.1+git7813-150000.1.3.3
  • libstdc++6-debuginfo-13.2.1+git7813-150000.1.3.3
  • libgcc_s1-13.2.1+git7813-150000.1.3.3

These versions look patched by the downstream (Suse) and not by the upstream (GNU), as GNU use the regular three parts version nomenclature.

As for anything compiled with the vulnerable compiler, those are different binaries from different packages, and need to be recompiled.