GLSA-202402-01 : glibc: Multiple Vulnerabilities

high Nessus Plugin ID 189928

Description

The remote host is affected by the vulnerability described in GLSA-202402-01 (glibc: Multiple Vulnerabilities)

- A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash. (CVE-2023-5156)

- A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer. (CVE-2023-6246)

- An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer. (CVE-2023-6779)

- An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer. (CVE-2023-6780)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

All glibc users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose >=sys-libs/glibc-2.38-r10

See Also

https://security.gentoo.org/glsa/202402-01

https://bugs.gentoo.org/show_bug.cgi?id=918412

https://bugs.gentoo.org/show_bug.cgi?id=923352

Plugin Details

Severity: High

ID: 189928

File Name: gentoo_GLSA-202402-01.nasl

Version: 1.2

Type: local

Published: 2/2/2024

Updated: 2/13/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-6246

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:gentoo:linux, p-cpe:/a:gentoo:linux:glibc

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/2/2024

Vulnerability Publication Date: 9/25/2023

Reference Information

CVE: CVE-2023-5156, CVE-2023-6246, CVE-2023-6779, CVE-2023-6780