DSA-5611-1 glibc -- glibcID: oval:org.secpod.oval:def:97878 | Date: (C)2024-02-09 (M)2024-04-03 |
Class: PATCH | Family: unix |
The Qualys Research Labs discovered several vulnerabilities in the GNU C Library"s __vsyslog_internal function . A heap-based buffer overflow , an off-by-one heap overflow and an integer overflow can be exploited for privilege escalation or denial of service. Details can be found in the Qualys advisory at https://www.qualys.com/2024/01/30/syslog Additionally a memory corruption was discovered in the glibc"s qsort function, due to missing bounds check and when called by a program with a non-transitive comparison function and a large number of attacker-controlled elements. As the use of qsort with a non-transitive comparison function is undefined according to POSIX and ISO C standards, this is not considered a vulnerability in the glibc itself. However the qsort implementation was hardened against misbehaving callers. Details can be found in the Qualys advisory at https://www.qualys.com/2024/01/30/qsort
Product: |
glibc-doc |
libc-l10n |
libc6 |
libc-devtools |
glibc-source |
locales |
libc-bin |
libc-dev-bin |
nscd |