oss-sec mailing list archives

Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence

From: Florian Weimer <fweimer () redhat com>
Date: Wed, 24 Apr 2024 18:13:56 +0200

* Adhemerval Zanella Netto:

The following security advisories have been published:

GLIBC-SA-2024-0004:
===================
ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence


For those who haven't prepared/shipped updates yet: we've got a fix for
a stack-based buffer overflow in nscd under review.

  [PATCH 0/4] Various nscd security fixes
  <https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer () redhat com/>

These are initial patches, still under review.  The glibc security team
will send a separate notification once official patches are ready.

The initial issue was reported in Bugzilla without an embargo period,
hence the public patch development.  The other bugs concern the same
code and are very minor compared to the initial finding, so a separate
embargo for them doesn't make sense.

Thanks,
Florian

Current thread:

The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Adhemerval Zanella Netto (Apr 17)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Solar Designer (Apr 18)
- Re: The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence Florian Weimer (Apr 24)