update: glibc #1290
Labels
advisory/upstream-blocked
blocked by upstream projects
advisory
security advisory
security
security concerns
Comments
dongsupark
added
security
|
Added CVE-2023-6246, CVE-2023-6779, CVE-2023-6780. |
|
Added glibc-2024-01-30, a qsort issue. (No CVE) |
|
Updated, CVEs are addressed in the main branch, qsort issue is still TBD. |
|
Added |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Name: glibc
CVEs:
CVE-2023-5156, CVE-2023-6246, CVE-2023-6779, CVE-2023-6780,glibc-2024-01-30CVSSs:
7.5, 7.8, n/a, n/a,n/aAction Needed:
update to >= 2.38-r10 for most ones,TBD for glibc-2024-01-30Summary:
CVE-2023-5156: A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.CVE-2023-6246: A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.GLIBC-SA-2024-0001CVE-2023-6779: An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.GLIBC-SA-2024-0002CVE-2023-6780: An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.GLIBC-SA-2024-0003that returns (a - b), for example) and with a large number of attacker- controlled elements (to cause a malloc() failure inside qsort()). We have not tried to find such a vulnerable program in the real world.
refmap.gentoo:
CVE-2023-5156: https://bugs.gentoo.org/918412CVE-2023-[6246,6779,6780]: https://bugs.gentoo.org/923352The text was updated successfully, but these errors were encountered: