CVE-2019-7309

NameCVE-2019-7309
DescriptionIn the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glibc (PTS)stretch2.24-11+deb9u4vulnerable
stretch (security)2.24-11+deb9u1vulnerable
buster2.28-10+deb10u1fixed
bullseye2.31-13+deb11u3fixed
bookworm, sid2.33-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glibcsource(unstable)2.28-6unimportant

Notes

https://sourceware.org/bugzilla/show_bug.cgi?id=24155
https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html
x32 not officially supported

Search for package or bug name: Reporting problems