Headline
Debian Security Advisory 5611-1
Debian Linux Security Advisory 5611-1 - The Qualys Research Labs discovered several vulnerabilities in the GNU C Library’s __vsyslog_internal() function (called by syslog() and vsyslog()). A heap-based buffer overflow (CVE-2023-6246), an off-by-one heap overflow (CVE-2023-6779) and an integer overflow (CVE-2023-6780) can be exploited for privilege escalation or denial of service.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Debian Security Advisory DSA-5611-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
January 30, 2024 https://www.debian.org/security/faq
Package : glibc
CVE ID : CVE-2023-6246 CVE-2023-6779 CVE-2023-6780
The Qualys Research Labs discovered several vulnerabilities in the GNU C
Library’s __vsyslog_internal() function (called by syslog() and
vsyslog()). A heap-based buffer overflow (CVE-2023-6246), an off-by-one
heap overflow (CVE-2023-6779) and an integer overflow (CVE-2023-6780)
can be exploited for privilege escalation or denial of service.
Details can be found in the Qualys advisory at
https://www.qualys.com/2024/01/30/syslog
Additionally a memory corruption was discovered in the glibc’s qsort()
function, due to missing bounds check and when called by a program
with a non-transitive comparison function and a large number of
attacker-controlled elements. As the use of qsort() with a
non-transitive comparison function is undefined according to POSIX and
ISO C standards, this is not considered a vulnerability in the glibc
itself. However the qsort() implementation was hardened against
misbehaving callers.
Details can be found in the Qualys advisory at
https://www.qualys.com/2024/01/30/qsort
For the stable distribution (bookworm), these problems have been fixed in
version 2.36-9+deb12u4.
We recommend that you upgrade your glibc packages.
For the detailed security status of glibc please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/glibc
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW5P2BfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TCeQ//VD4TdNtM/wBBMsQ2/RTFVO81yT6ZJ2jxy8v2h9ZZtsBhi1kMP+P4E2pC
yAl+8TGZpKCbMqifecV85Z9674aUfEFrqju8E1Mt1kp63MTmagJvPuZg318hjMRg
byve8v9nMJjpAotbetz5TesUX3eZeWbkAyqd45vg3g40lIyJHusKra5XEmAxflEB
8zFwZhwWVOZ7cIH2sbsRFprgPcz5YYKAvUEfVWQxikWaN+7XGNKzue6Ar0pkHHGd
reLUTnGDv4NMr1Y7JLMau/nIO2JXvl7V2+EefFw02/vmRPovz4ZtmWek3vc2DRl9
JfGEIOkMpbxPgp0dZ2AyKjOEIpIutvGqzLm53MkcajvVlVAMyPPj25rgytaK+07T
RS+oP77Bw+pDjRu1PpyCDRWIOCJmqP8esyq5IfMuLDBYPT8JvOyq2Iy/q5U+OvXL
nYzvNXfqIkencR0Sd83aRGho6vWSy89mJEWhvMhjYmriJz7ipQo6t+FZb2Jq23wJ
pXTcWz5ljtuSQRmf2A98InQsyg1sBVj3dH/8uYEl5f58TvF06SL6vJwtxJED1vLk
LR9D1G2zyoJf6PFPMj+qtgdZKxYPX6Zr3nJTNRwM74Z8AYQEcuczWm2vhq78ipPi
AyAjNDzU/MPUaDTKeyjS04XD3tyOD3RDPWDjKhV/BiKFuAjuqro=
=Zs+W
-----END PGP SIGNATURE-----
Related news
Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]
Gentoo Linux Security Advisory 202402-1 - Multiple vulnerabilities in glibc could result in Local Privilege Escalation. Versions greater than or equal to 2.38-r10 are affected.
Ubuntu Security Notice 6620-1 - It was discovered that the GNU C Library incorrectly handled the syslog function call. A local attacker could use this issue to execute arbitrary code and possibly escalate privileges.
Qualys discovered a heap-based buffer overflow in the GNU C Library's __vsyslog_internal() function, which is called by both syslog() and vsyslog(). This vulnerability was introduced in glibc 2.37 (in August 2022).
Qualys discovered a heap-based buffer overflow in the GNU C Library's __vsyslog_internal() function, which is called by both syslog() and vsyslog(). This vulnerability was introduced in glibc 2.37 (in August 2022).
Qualys discovered a heap-based buffer overflow in the GNU C Library's __vsyslog_internal() function, which is called by both syslog() and vsyslog(). This vulnerability was introduced in glibc 2.37 (in August 2022).
Qualys discovered a memory corruption in the glibc's qsort() function, due to a missing bounds check. To be vulnerable, a program must call qsort() with a nontransitive comparison function (a function cmp(int a, int b) that returns (a - b), for example) and with a large number of attacker-controlled elements (to cause a malloc() failure inside qsort()). They have not tried to find such a vulnerable program in the real world. All glibc versions from at least September 1992 (glibc 1.04) to the current release (glibc 2.38) are affected, but the glibc's developers have independently discovered and patched this memory corruption in the master branch (commit b9390ba, "stdlib: Fix array bounds protection in insertion sort phase of qsort") during a recent refactoring of qsort().
By Deeba Ahmed Patch Now or Pay Later: Qsort Flaw Leaves Millions of Linux Systems Exposed. This is a post from HackRead.com Read the original post: Critical Flaws Found in GNU C Library, Major Linux Distros at Risk
By Deeba Ahmed Patch Now or Pay Later: Qsort Flaw Leaves Millions of Linux Systems Exposed. This is a post from HackRead.com Read the original post: Critical Flaws Found in GNU C Library, Major Linux Distros at Risk
By Deeba Ahmed Patch Now or Pay Later: Qsort Flaw Leaves Millions of Linux Systems Exposed. This is a post from HackRead.com Read the original post: Critical Flaws Found in GNU C Library, Major Linux Distros at Risk
Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally
Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally
Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally