-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update: glibc #1290
Labels
advisory/upstream-blocked
blocked by upstream projects
advisory
security advisory
security
security concerns
Comments
dongsupark
added
security
security concerns
advisory
security advisory
cvss/HIGH
> 7 && < 9 assessed CVSS
labels
Dec 15, 2023
Added CVE-2023-6246, CVE-2023-6779, CVE-2023-6780. |
Added glibc-2024-01-30, a qsort issue. (No CVE) |
Updated, CVEs are addressed in the main branch, qsort issue is still TBD. |
Added |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
advisory/upstream-blocked
blocked by upstream projects
advisory
security advisory
security
security concerns
Name: glibc
CVEs:
CVE-2023-5156, CVE-2023-6246, CVE-2023-6779, CVE-2023-6780,glibc-2024-01-30CVSSs:
7.5, 7.8, n/a, n/a,n/aAction Needed:
update to >= 2.38-r10 for most ones,TBD for glibc-2024-01-30Summary:
CVE-2023-5156: A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.CVE-2023-6246: A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.GLIBC-SA-2024-0001CVE-2023-6779: An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.GLIBC-SA-2024-0002CVE-2023-6780: An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.GLIBC-SA-2024-0003that returns (a - b), for example) and with a large number of attacker- controlled elements (to cause a malloc() failure inside qsort()). We have not tried to find such a vulnerable program in the real world.
refmap.gentoo:
CVE-2023-5156: https://bugs.gentoo.org/918412CVE-2023-[6246,6779,6780]: https://bugs.gentoo.org/923352The text was updated successfully, but these errors were encountered: