CVE-2019-7309

NameCVE-2019-7309
DescriptionIn the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow (attack range: local)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glibc (PTS)jessie (security), jessie2.19-18+deb8u10vulnerable
stretch2.24-11+deb9u4vulnerable
stretch (security)2.24-11+deb9u1vulnerable
bullseye, sid, buster2.28-10fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glibcsource(unstable)2.28-6unimportant

Notes

https://sourceware.org/bugzilla/show_bug.cgi?id=24155
https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html
x32 not officially supported

Search for package or bug name: Reporting problems