Bug 31760

Summary: glibc new security issue CVE-2023-0687
Product: Mageia Reporter: David Walser <luigiwalser>
Component: RPM PackagesAssignee: Thomas Backlund <tmb>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: glibc-2.36-34.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-04-05 02:28:35 CEST 
SUSE has issued an advisory on March 31:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014292.html

Mageia 8 is also affected.
David Walser 2023-04-05 02:28:47 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Thomas Backlund 2023-04-05 10:04:49 CEST 
disputed upstream:
https://sourceware.org/bugzilla/show_bug.cgi?id=29444#c9
Comment 2 Thomas Backlund 2023-06-27 17:37:09 CEST 
Fixed in Cauldron since 2.36-36.mga9

I wont push to mga8 as upstream has disputed it and reported it to mitre, and pointed out that:

"
My point is that this step above needs specific knowledge of the address space *and* control over execution to make this happen.  Without such control, there's no exploitation vector.
"

so basically impossible to exploit in reality...

I've queued the fix in svn for mga8 if there is something else that needs fixing

QA Contact: security => (none)
Resolution: (none) => FIXED
Severity: major => normal
Whiteboard: MGA8TOO => (none)
Status: NEW => RESOLVED
Component: Security => RPM Packages