• [SECURITY] [DSA 5611-1] glibc security update

    From Salvatore Bonaccorso@21:1/5 to All on Tue Jan 30 19:40:01 2024
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-5611-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 30, 2024 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : glibc
    CVE ID : CVE-2023-6246 CVE-2023-6779 CVE-2023-6780

    The Qualys Research Labs discovered several vulnerabilities in the GNU C Library's __vsyslog_internal() function (called by syslog() and
    vsyslog()). A heap-based buffer overflow (CVE-2023-6246), an off-by-one
    heap overflow (CVE-2023-6779) and an integer overflow (CVE-2023-6780)
    can be exploited for privilege escalation or denial of service.

    Details can be found in the Qualys advisory at https://www.qualys.com/2024/01/30/syslog

    Additionally a memory corruption was discovered in the glibc's qsort() function, due to missing bounds check and when called by a program
    with a non-transitive comparison function and a large number of attacker-controlled elements. As the use of qsort() with a
    non-transitive comparison function is undefined according to POSIX and
    ISO C standards, this is not considered a vulnerability in the glibc
    itself. However the qsort() implementation was hardened against
    misbehaving callers.

    Details can be found in the Qualys advisory at https://www.qualys.com/2024/01/30/qsort

    For the stable distribution (bookworm), these problems have been fixed in version 2.36-9+deb12u4.

    We recommend that you upgrade your glibc packages.

    For the detailed security status of glibc please refer to its security
    tracker page at:
    https://security-tracker.debian.org/tracker/glibc

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW5P2BfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TCeQ//VD4TdNtM/wBBMsQ2/RTFVO81yT6ZJ2jxy8v2h9ZZtsBhi1kMP+P4E2pC yAl+8TGZpKCbMqifecV85Z9674aUfEFrqju8E1Mt1kp63MTmagJvPuZg318hjMRg byve8v9nMJjpAotbetz5TesUX3eZeWbkAyqd45vg3g40lIyJHusKra5XEmAxflEB 8zFwZhwWVOZ7cIH2sbsRFprgPcz5YYKAvUEfVWQxikWaN+7XGNKzue6Ar0pkHHGd reLUTnGDv4NMr1Y7JLMau/nIO2JXvl7V2+EefFw02/vmRPovz4ZtmWek3vc2DRl9 JfGEIOkMpbxPgp0dZ2AyKjOEIpIutvGqzLm53MkcajvVlVAMyPPj25rgytaK+07T RS+oP77Bw+pDjRu1PpyCDRWIOCJmqP8esyq5IfMuLDBYPT8JvOyq2Iy/q5U+OvXL nYzvNXfqIkencR0Sd83aRGho6vWSy89mJEWhvMhjYmriJz7ipQo6t+FZb2Jq23wJ pXTcWz5ljtuSQRmf2A98InQsyg1sBVj3dH/8uYEl5f58TvF06SL6vJwtxJED1vLk LR9D1G2zyoJf6PFPMj+qtgdZKxYPX6Zr3nJTNRwM74Z8AYQEcuczWm2vhq78ipPi AyAjNDzU/MPUaDTKeyjS04XD3tyOD3RDPWDjKhV/BiKFuAjuqro=
    =Zs+W
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)