Bugzilla – Bug 1214066
VUL-0: CVE-2023-39976: libqb: log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered
Last modified: 2024-05-23 08:32:35 UTC
CVE-2023-39976 log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39976 https://www.cve.org/CVERecord?id=CVE-2023-39976 https://github.com/ClusterLabs/libqb/commit/1bbaa929b77113532785c408dd1b41cd0521ffc8 https://github.com/ClusterLabs/libqb/compare/v2.0.7...v2.0.8 https://github.com/ClusterLabs/libqb/pull/490
Affected: - SUSE:SLE-12-SP2:Update/libqb 1.0.0 - SUSE:SLE-12-SP3:Update/libqb 1.0.3+20171226.6d62b64 - SUSE:SLE-15:Update/libqb 1.0.3+20171226.6d62b64 - SUSE:SLE-15-SP1:Update/libqb 1.0.3+20190326.a521604 - SUSE:SLE-15-SP3:Update/libqb 2.0.2+20201203.def947e - SUSE:SLE-15-SP4:Update/libqb 2.0.4+20211112.a2691b9 - SUSE:SLE-15-SP5:Update/libqb 2.0.6+20220323.758044b - SUSE:ALP:Source:Standard:1.0/libqb 2.0.7+20230607.06c8641 Not affected: - openSUSE:Factory/libqb 2.0.8+20230721.002171b
SUSE-SU-2023:3728-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1214066 CVE References: CVE-2023-39976 Sources used: openSUSE Leap 15.4 (src): libqb-1.0.3+20190326.a521604-150100.3.9.1 SUSE Linux Enterprise High Availability Extension 15 SP1 (src): libqb-1.0.3+20190326.a521604-150100.3.9.1 SUSE Linux Enterprise High Availability Extension 15 SP2 (src): libqb-1.0.3+20190326.a521604-150100.3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3727-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1214066 CVE References: CVE-2023-39976 Sources used: SUSE Linux Enterprise High Availability Extension 15 SP3 (src): libqb-2.0.2+20201203.def947e-150300.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3897-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1214066 CVE References: CVE-2023-39976 Sources used: openSUSE Leap 15.5 (src): libqb-2.0.6+20220323.758044b-150500.3.3.1 Basesystem Module 15-SP5 (src): libqb-2.0.6+20220323.758044b-150500.3.3.1 SUSE Linux Enterprise High Availability Extension 15 SP5 (src): libqb-2.0.6+20220323.758044b-150500.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3944-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1214066 CVE References: CVE-2023-39976 Sources used: openSUSE Leap 15.4 (src): libqb-2.0.4+20211112.a2691b9-150400.4.3.1 Basesystem Module 15-SP4 (src): libqb-2.0.4+20211112.a2691b9-150400.4.3.1 SUSE Linux Enterprise High Availability Extension 15 SP4 (src): libqb-2.0.4+20211112.a2691b9-150400.4.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Hu from comment #1) > Affected: > - SUSE:SLE-12-SP2:Update/libqb 1.0.0 > - SUSE:SLE-12-SP3:Update/libqb 1.0.3+20171226.6d62b64 > - SUSE:SLE-15:Update/libqb 1.0.3+20171226.6d62b64 FYI, these versions are immune to this issue, since they don't even contain the commit that had introduced the issue in the first place: https://github.com/ClusterLabs/libqb/commit/0ec02f9ac589e9e21e447f4406ec104ade01ef73
done, closing