CVE-2021-3420

NameCVE-2021-3420
DescriptionA flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs984424, 984446

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libnewlib-nano (PTS)sid, buster2.11.2-1vulnerable
newlib (PTS)stretch2.4.0.20160527-2vulnerable
buster3.1.0.20181231-1vulnerable
bullseye, sid3.3.0-1vulnerable
picolibc (PTS)bullseye, sid1.5.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libnewlib-nanosource(unstable)(unfixed)984424
newlibsource(unstable)(unfixed)984446
picolibcsource(unstable)1.5-1

Notes

[bullseye] - newlib <no-dsa> (Minor issue)
[buster] - newlib <no-dsa> (Minor issue)
[stretch] - newlib <no-dsa> (Minor issue)
[buster] - libnewlib-nano <no-dsa> (Minor issue)
Fix in picolibc: https://keithp.com/cgit/picolibc.git/commit/newlib/libc/stdlib/mallocr.c?id=aa106b29a6a8a1b0df9e334704292cbc32f2d44e
https://sourceware.org/git/?p=newlib-cygwin.git;a=commit;h=aa106b29a6a8a1b0df9e334704292cbc32f2d44e

Search for package or bug name: Reporting problems