SB2024013111 - Gentoo update for glibc
Published: January 31, 2024 Updated: March 7, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2022-39046)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the software can store potentially sensitive data into a log file. When the syslog() function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.
2) Out-of-bounds read (CVE-ID: CVE-2023-4527)
The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the getaddrinfo() function called with the AF_UNSPEC address family. A remote attacker with control over DNS server can send a DNS response via TCP larger than 2048 bytes, trigger an out-of-bounds read and crash the application or gain access to potentially sensitive information.
Successful exploitation of the vulnerability requires that system is configured with no-aaaa mode via /etc/resolv.conf.
3) Use-after-free (CVE-ID: CVE-2023-4806)
The vulnerability allows an attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the getaddrinfo() function. A remote attacker can perform a denial of service (DoS) attack.
4) Buffer overflow (CVE-ID: CVE-2023-4911)
The vulnerability allows a local user to escalate privileges on the system.
Remediation
Install update from vendor's website.