With a heap corruption as a primitive, two FILE structures malloc()ated
in the heap, and 21 fixed bits in the glibc's addresses, we believe that
this signal handler race condition is exploitable on amd64 (probably not
in ~6-8 hours, but hopefully in less than a week). Only time will tell.
It is a race condition in a signal handler. The behaviour depends on the implementation of various standard library functions on the target system (syslog, malloc). This may very well be exploitable on other architectures (and systems). Apparently it is non-trivial to trigger. But it is possibly remote code execution with root permissions. Definetely nobody wants this in sshd.
Per https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.... they developed the exploit on Debian and Ubuntu on i386, but I don't believe there's any reason to think that it wouldn't work on other architectures. There are some things that suggest to my non-expert reading that it's harder to exploit on 64-bit architectures, and other libc implementations may be immune, but it wouldn't surprise me at all if Raspberry Pi OS (AKA Debian with some modifications) on a Pi was 32-bit and vulnerable.
