Microsoft CBL-Mariner 2.0.20230924 Rebuilds AArch64 Packages Due To That Nasty GCC Bug

Written by Michael Larabel in Arm on 1 October 2023 at 08:57 AM EDT. 1 Comment
ARM
Microsoft released CBL-Mariner 2.0.20230924 this week as the newest version of their in-house Linux distribution. The driving force behind this release is to get out rebuilt AArch64 packages following the recent GCC security vulnerability that affected Arm 64-bit built software.

CVE-2023-4039 was made public in mid-September over GCC's -fstack-protector feature opening up a vulnerability when targeting AArch64. CVE-2023-4039 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables to be exploited without being detected.
"A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity."

Those that hadn't heard of this GCC AArch64 vulnerability when it debuted a few weeks ago can learn more via NIST.gov.

AArch64 server


This week's CBL-Mariner update came after Microsoft found several but not all of their AArch64 packages with native code were impacted. Microsoft is also encouraging their customers to recompile their AArch64 software with GCC 11.2.0-6 or newer. Due to CBL-Mariner not allowing per-architecture versioning, the x86_64 packages were also rebuilt but not affected.

The updated Microsoft Linux distribution also has a number of other package updates due to other CVEs including 27 for Wireshark, a handful of issues with their Linux 5.15 LTS kernel, and then also fixes for CMake, libssh2, Node.js, xterm, and other packages.

More details on the updated Microsoft CBL-Mariner 2.0 release via GitHub.
1 Comment
Related News
Some Qualcomm CPUs Left Exposed To Spectre Vulnerabilities On Mainline Linux
Linux 6.13 For ARM64 Brings GCS Support & Protected VMs With Arm CCA
Nice Performance Gains With SVT-AV1 2.3 Encoding On The System76 Thelio Astra
Snapdragon X1 Elite CPUFreq Support Revised In Latest Linux Patches
Linux Support Continues For The Now-Canceled Snapdragon X Elite Dev Kit For Windows
ARM64 SMT Control Patches Updated For The Linux Kernel
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries