update: glibc

[dongsupark]

Name: glibc
CVEs: CVE-2023-5156, CVE-2023-6246, CVE-2023-6779, CVE-2023-6780, glibc-2024-01-30
CVSSs: 7.5, 7.8, n/a, n/a, n/a
Action Needed: update to >= 2.38-r10 for most ones, TBD for glibc-2024-01-30

Summary:

• CVE-2023-5156: A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.
• CVE-2023-6246: A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.
  • GLIBC-SA-2024-0001
• CVE-2023-6779: An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.
  • GLIBC-SA-2024-0002
• CVE-2023-6780: An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.
  • GLIBC-SA-2024-0003
• glibc-2024-01-30: Out of bounds read and write in qsort(). We discovered a memory corruption in the glibc's qsort() function, due to a missing bounds check. To be vulnerable, a program must call qsort() with a nontransitive comparison function (a function cmp(int a, int b)
  that returns (a - b), for example) and with a large number of attacker- controlled elements (to cause a malloc() failure inside qsort()). We have not tried to find such a vulnerable program in the real world.

refmap.gentoo:

• CVE-2023-5156: https://bugs.gentoo.org/918412
• CVE-2023-[6246,6779,6780]: https://bugs.gentoo.org/923352
• glibc-2024-01-30: https://bugs.gentoo.org/923355

[dongsupark]

Added CVE-2023-6246, CVE-2023-6779, CVE-2023-6780.

[dongsupark]

Added glibc-2024-01-30, a qsort issue. (No CVE)

[krnowak]

Updated, CVEs are addressed in the main branch, qsort issue is still TBD.

[dongsupark]

Added advisory/upstream-blocked, as the qsort issue is still not resolved, no news at all.