CVE-2021-3420

NameCVE-2021-3420
DescriptionA flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs984424, 984446

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libnewlib-nano (PTS)buster2.11.2-1vulnerable
newlib (PTS)jessie2.1.0+git20140818.1a8323b-2vulnerable
stretch2.4.0.20160527-2vulnerable
buster3.1.0.20181231-1vulnerable
bullseye3.3.0-1vulnerable
bookworm3.3.0-1.3+deb12u1fixed
sid, trixie4.4.0.20231231-4fixed
picolibc (PTS)bullseye1.5.1-2fixed
bookworm1.8-1fixed
sid, trixie1.8.8-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libnewlib-nanosource(unstable)(unfixed)984424
newlibsourceexperimental4.4.0.20231231-1
newlibsourcejessie(unfixed)end-of-life
newlibsourcebookworm3.3.0-1.3+deb12u1
newlibsource(unstable)4.4.0.20231231-2984446
picolibcsource(unstable)1.5-1

Notes

[bullseye] - newlib <ignored> (Minor issue)
[buster] - newlib <no-dsa> (Minor issue)
[stretch] - newlib <no-dsa> (Minor issue)
[buster] - libnewlib-nano <no-dsa> (Minor issue)
Fix in picolibc: https://keithp.com/cgit/picolibc.git/commit/newlib/libc/stdlib/mallocr.c?id=aa106b29a6a8a1b0df9e334704292cbc32f2d44e
https://sourceware.org/git/?p=newlib-cygwin.git;a=commit;h=aa106b29a6a8a1b0df9e334704292cbc32f2d44e

Search for package or bug name: Reporting problems