Microsoft CBL-Mariner 2.0.20230924 Rebuilds AArch64 Packages Due To That Nasty GCC Bug

Written by Michael Larabel in Arm on 1 October 2023 at 08:57 AM EDT. 1 Comment
ARM
Microsoft released CBL-Mariner 2.0.20230924 this week as the newest version of their in-house Linux distribution. The driving force behind this release is to get out rebuilt AArch64 packages following the recent GCC security vulnerability that affected Arm 64-bit built software.

CVE-2023-4039 was made public in mid-September over GCC's -fstack-protector feature opening up a vulnerability when targeting AArch64. CVE-2023-4039 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables to be exploited without being detected.
"A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity."

Those that hadn't heard of this GCC AArch64 vulnerability when it debuted a few weeks ago can learn more via NIST.gov.

AArch64 server


This week's CBL-Mariner update came after Microsoft found several but not all of their AArch64 packages with native code were impacted. Microsoft is also encouraging their customers to recompile their AArch64 software with GCC 11.2.0-6 or newer. Due to CBL-Mariner not allowing per-architecture versioning, the x86_64 packages were also rebuilt but not affected.

The updated Microsoft Linux distribution also has a number of other package updates due to other CVEs including 27 for Wireshark, a handful of issues with their Linux 5.15 LTS kernel, and then also fixes for CMake, libssh2, Node.js, xterm, and other packages.

More details on the updated Microsoft CBL-Mariner 2.0 release via GitHub.
1 Comment
Related News
LLVM Clang 19 Adds Arm Neoverse-N3 / Neoverse-V3 / Neoverse-V3AE Support
Acer Aspire One ARM Laptop To Have "Almost Full" Support With Linux 6.10
Linux 6.10 To Add Script For Building ARM64 Flat Image Trees
Arm China Looking At Upstreaming Their "Zhouyi" NPU Driver Into The Linux Kernel
Panthor DRM Driver Queued For Linux 6.10 To Support Newer Arm Mali GPUs
ARM SCMI CPUFreq Driver Enabling Boost Support By Default With Linux 6.9
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
Fedora Linux 40 Available For Download As A Wonderful Upgrade
AMD: "Additional Parts Of The Radeon Stack To Be Open Sourced Throughout The Year"
Systemd 256-rc1 Brings A Huge Number Of New Features
NVIDIA Developer Opens Feature Pull Request For Open-Source NVK Driver
Microsoft Open-Sources MS-DOS 4.0 Under MIT License
Ubuntu 24.04 LTS Downloads Now Available
GNU Portability Library's Tool Rewritten In Python For 8~100x Better Performance
Niri 0.1.5 Scrollable-Tiling Wayland Compositor Adds New Animations