Nixpkgs security tracker

Untriaged

Permalink CVE-2023-6779

8.2 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): HIGH

created 1 year, 2 months ago

Glibc: off-by-one heap-based buffer overflow in __vsyslog_internal()

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.

References

http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over…
http://seclists.org/fulldisclosure/2024/Feb/3
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHAT
RHBZ#2254395 x_refsource_REDHATissue-tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://security.gentoo.org/glsa/202402-01
https://www.openwall.com/lists/oss-security/2024/01/30/6
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
https://security.netapp.com/advisory/ntap-20240223-0006/
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over… x_transferred
http://seclists.org/fulldisclosure/2024/Feb/3 x_transferred
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHATx_transferred
RHBZ#2254395 x_refsource_REDHATissue-trackingx_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://security.gentoo.org/glsa/202402-01 x_transferred
https://www.openwall.com/lists/oss-security/2024/01/30/6 x_transferred
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt x_transferred
https://security.netapp.com/advisory/ntap-20240223-0006/ x_transferred
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over…
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHAT
RHBZ#2254395 x_refsource_REDHATissue-tracking
https://www.openwall.com/lists/oss-security/2024/01/30/6
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHAT
RHBZ#2254395 x_refsource_REDHATissue-tracking
https://www.openwall.com/lists/oss-security/2024/01/30/6
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHAT
RHBZ#2254395 x_refsource_REDHATissue-tracking
https://www.openwall.com/lists/oss-security/2024/01/30/6
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://security.gentoo.org/glsa/202402-01
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHAT
RHBZ#2254395 x_refsource_REDHATissue-tracking
https://www.openwall.com/lists/oss-security/2024/01/30/6
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://security.gentoo.org/glsa/202402-01
http://seclists.org/fulldisclosure/2024/Feb/3
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over…
http://seclists.org/fulldisclosure/2024/Feb/3
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHAT
RHBZ#2254395 x_refsource_REDHATissue-tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://security.gentoo.org/glsa/202402-01
https://www.openwall.com/lists/oss-security/2024/01/30/6
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over…
http://seclists.org/fulldisclosure/2024/Feb/3
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHAT
RHBZ#2254395 x_refsource_REDHATissue-tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://security.gentoo.org/glsa/202402-01
https://www.openwall.com/lists/oss-security/2024/01/30/6
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over…
http://seclists.org/fulldisclosure/2024/Feb/3
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHAT
RHBZ#2254395 x_refsource_REDHATissue-tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://security.gentoo.org/glsa/202402-01
https://www.openwall.com/lists/oss-security/2024/01/30/6
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
https://security.netapp.com/advisory/ntap-20240223-0006/
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over…
http://seclists.org/fulldisclosure/2024/Feb/3
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHAT
RHBZ#2254395 x_refsource_REDHATissue-tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://security.gentoo.org/glsa/202402-01
https://www.openwall.com/lists/oss-security/2024/01/30/6
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
https://security.netapp.com/advisory/ntap-20240223-0006/
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over… x_transferred
http://seclists.org/fulldisclosure/2024/Feb/3 x_transferred
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHATx_transferred
RHBZ#2254395 x_refsource_REDHATissue-trackingx_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://security.gentoo.org/glsa/202402-01 x_transferred
https://www.openwall.com/lists/oss-security/2024/01/30/6 x_transferred
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt x_transferred
https://security.netapp.com/advisory/ntap-20240223-0006/ x_transferred
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over…
http://seclists.org/fulldisclosure/2024/Feb/3
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHAT
RHBZ#2254395 x_refsource_REDHATissue-tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://security.gentoo.org/glsa/202402-01
https://www.openwall.com/lists/oss-security/2024/01/30/6
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
https://security.netapp.com/advisory/ntap-20240223-0006/
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over… x_transferred
http://seclists.org/fulldisclosure/2024/Feb/3 x_transferred
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHATx_transferred
RHBZ#2254395 x_refsource_REDHATissue-trackingx_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://security.gentoo.org/glsa/202402-01 x_transferred
https://www.openwall.com/lists/oss-security/2024/01/30/6 x_transferred
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt x_transferred
https://security.netapp.com/advisory/ntap-20240223-0006/ x_transferred
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over…
http://seclists.org/fulldisclosure/2024/Feb/3
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHAT
RHBZ#2254395 x_refsource_REDHATissue-tracking
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj…
https://security.gentoo.org/glsa/202402-01
https://www.openwall.com/lists/oss-security/2024/01/30/6
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt
https://security.netapp.com/advisory/ntap-20240223-0006/
http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Over… x_transferred
http://seclists.org/fulldisclosure/2024/Feb/3 x_transferred
https://access.redhat.com/security/cve/CVE-2023-6779 vdb-entryx_refsource_REDHATx_transferred
RHBZ#2254395 x_refsource_REDHATissue-trackingx_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproj… x_transferred
https://security.gentoo.org/glsa/202402-01 x_transferred
https://www.openwall.com/lists/oss-security/2024/01/30/6 x_transferred
https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt x_transferred
https://security.netapp.com/advisory/ntap-20240223-0006/ x_transferred

Affected products

glibc

==2.39

compat-glibc

Matching in nixpkgs

pkgs.glibc

GNU C Library

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.iconv

GNU C Library

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.getent

None

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.locale

None

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.mtrace

Perl script used to interpret and provide human readable output of the trace log contained in the file mtracedata, whose contents were produced by mtrace(3)

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.getconf

None

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.libiconv

None

nixos-unstable 2.40
- nixpkgs-unstable 2.40
- nixos-unstable-small 2.40

pkgs.glibcInfo

GNU Info manual of the GNU C Library

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.glibc_multi

None

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.glibcLocales

Locale information for the GNU C Library

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.glibc_memusage

GNU C Library

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.glibcLocalesUtf8

Locale information for the GNU C Library

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.unixtools.getent

None

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.unixtools.locale

None

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

pkgs.unixtools.getconf

None

nixos-unstable 2.40-36
- nixpkgs-unstable 2.40-36
- nixos-unstable-small 2.40-36

Package maintainers

@Ma27 Maximilian Bosch <maximilian@mbosch.me>
@ConnorBaker Connor Baker <ConnorBaker01@gmail.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.glibc

pkgs.iconv

pkgs.getent

pkgs.locale

pkgs.mtrace

pkgs.getconf

pkgs.libiconv

pkgs.glibcInfo

pkgs.glibc_multi

pkgs.glibcLocales

pkgs.glibc_memusage

pkgs.glibcLocalesUtf8

pkgs.unixtools.getent

pkgs.unixtools.locale

pkgs.unixtools.getconf

Package maintainers