https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt Exploit code: (exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null) German news article about this: https://www.heise.de/news/Linux-Sicherheitsluecke-in-glibc-bringt-Angreifern-Root-Privilegien-9614333.html?wt_mc=rss.red.ho.ho.atom.beitrag.beitrag
CVE: (none) => CVE-2023-6246, CVE-2023-6779, CVE-2023-6780
https://security-tracker.debian.org/tracker/DSA-5611-1 https://bodhi.fedoraproject.org/updates/FEDORA-2024-aec80d6e8a
Thank you for notifying this, and giving all the references. Assigning to BaseSystem.
CC: (none) => nicolas.salgueroAssignee: bugsquad => basesystemPriority: Normal => HighSummary: Heap-based buffer overflow in the glibc's syslog() => Heap-based buffer overflow in the glibc's syslog(), CVE-2023-6246, CVE-2023-6779, CVE-2023-6780
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. (CVE-2023-6246) An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. (CVE-2023-6779) An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. (CVE-2023-6780) References: https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt https://security-tracker.debian.org/tracker/DSA-5611-1 https://bodhi.fedoraproject.org/updates/FEDORA-2024-aec80d6e8a ======================== Updated packages in core/updates_testing: ======================== glibc-2.36-52.mga9 glibc-devel-2.36-52.mga9 glibc-doc-2.36-52.mga9 glibc-i18ndata-2.36-52.mga9 glibc-profile-2.36-52.mga9 glibc-static-devel-2.36-52.mga9 glibc-utils-2.36-52.mga9 nscd-2.36-52.mga9 from SRPM: glibc-2.36-52.mga9.src.rpm
Source RPM: glibc => glibc-2.36-51.mga9.src.rpmStatus: NEW => ASSIGNEDAssignee: basesystem => qa-bugs
CC: (none) => mageia
URL: (none) => https://security-tracker.debian.org/tracker/DSA-5611-1 https://bodhi.fedoraproject.org/updates/FEDORA-2024-aec80d6e8aCC: (none) => marja11
Keywords: (none) => advisory
After update, if I run the code in the comment#0 The terminal closes after show the message asking for password This is the desired effect?
yes. without the patch a segmentation fault was raised
mga9-64 OK __Testing the code in Comment 0 in Konsole: Before update: crash Updating what my system "svarten" have installed of glibc, to glibc-6:2.36-52.mga9.x86_64 glibc-devel-6:2.36-52.mga9.x86_64 Now Konsole closed when executing that code, right after displaying "password" --- Given glibc is so fundamental, test on i586 too would be good.
CC: (none) => friWhiteboard: (none) => MGA9-64-OK
Tested on real hardware mageia 9 i586 Updated without issues Works as in my other test
Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0026.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED