newlib 3.3.0 is vulnerable to CVE-2021-3420

[tfloch]

Hi!

newlib version used by all sdk-ng version, is vulnerable to CVE-2021-3420.
CVSSv3 score 9.8.

Patch CVE-2021-3420 is in commit zephyrproject-rtos/newlib-cygwin@aa106b2, on branch newlib-4.0.0.
Zephyr SDK 0.17.0 uses branch zephyr-newlib-3.3.0, without the patch.

You should upgrade newlib submodule to version 4.0.0, or backport the security patch in 3.3.0 branch.
See PR zephyrproject-rtos/newlib-cygwin#8

[kartben]

Thanks for the report but please follow our processes for responsible vulnerability reporting, as opening an issue on a public tracker is generally not the best way to proceed, as I'm sure you can imagine :)
https://docs.zephyrproject.org/latest/security/reporting.html

[tfloch]

Thanks @kartben.

You can delete the issue, I will submit using https://docs.zephyrproject.org/latest/security/reporting.html process in a minute.

[kartben]

Thank you! Also probably don't want your PR and commit actually mentioning the CVE... but it's a bit too late now of course.

[tfloch]

@kartben I tried to send the email using 2 differents email adresses, but received a Mail Delivery Failure.

550 5.0.350 Remote server returned an error -> 550 Message delivered to [vulnerabilities@zephyrproject.org]
(mailto:vulnerabilities@zephyrproject.org); Can't send mail - all recipients were rejected: 550 #5.1.0 Address rejected.

[tfloch]

Submitted with https://github.com/zephyrproject-rtos/zephyr/security form