CVE-2020-29573

Name of the Vulnerable Software and Affected Versions GNU C Library (aka glibc or libc6) versions prior to 2.23

Description The issue is a stack-based buffer overflow in the GNU C Library, which occurs when the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern. This can happen when passing a specific value, such as x00x04x00x00x00x00x00x00x00x04, to sprintf. The problem does not affect glibc by default in 2016 or later, which means versions 2.23 or later are not affected due to commits made in 2015 for inlining of C99 math functions through use of GCC built-ins.

Recommendations For GNU C Library (aka glibc or libc6) versions prior to 2.23, update to version 2.23 or later to resolve the issue. As a temporary workaround, consider avoiding the use of non-canonical bit patterns with the printf family of functions until a patch is available. Restrict access to the sprintf function to minimize the risk of exploitation.