Hello,
I have a project created with STM32CubeIDE that includes FreeRTOS.
A Black Duck vulnerability scan was made on this project and a single vulnerability (CVE-2021-3420) was detected.
This vulnerability describes a flaw in Newlib 3.3.0 (all versions before 4.0.0) which causes some newlib functions (mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc) to be unsafe with overflow conditions.
All the files that are tied to this vulnerability by the scan are files sourced from arm-none-eabi that the IDE toolchain (GNU Tools for STM32(11.3 rel1)) uses to build my project.
I am not sure how to fix this "vulnerability" in my project since I can't change how ARM implemented its build toolchain which STM32 is using.
I am hoping I can somehow validate that my project does not use these compromised functions.
From what I can tell, isn't this a problem for every user of arm-none-eabi-gcc?
Am I doing something wrong? Can I somehow reject this vulnerability or fix it?
Thanks.
