Bug 1218863 (CVE-2023-6246) - VUL-0: CVE-2023-6246: glibc: heap-based buffer overflow in the GNU C Library's __vsyslog_internal() function
Summary: VUL-0: CVE-2023-6246: glibc: heap-based buffer overflow in the GNU C Library'...
Status: RESOLVED FIXED
Alias: CVE-2023-6246
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Andreas Schwab
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/391325/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2023-6779 CVE-2023-6780
  Show dependency treegraph
 
Reported: 2024-01-16 15:50 UTC by Alexander Bergmann
Modified: 2024-05-13 14:40 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Alexander Bergmann 2024-01-16 15:52:16 UTC 
CRD: 2024-01-30 18:00 UTC
Comment 6 Thomas Leroy 2024-01-23 08:27:46 UTC 
Any news Andreas?
Comment 7 Marcus Meissner 2024-01-31 07:49:19 UTC 
is public

https://seclists.org/oss-sec/2024/q1/68
Comment 8 Marcus Meissner 2024-01-31 08:03:33 UTC 
Qualys Security Advisory

CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog()


========================================================================
Contents
========================================================================

Summary
Analysis
Proof of concept
Exploitation
Acknowledgments
Timeline


========================================================================
Summary
========================================================================

We discovered a heap-based buffer overflow in the GNU C Library's
__vsyslog_internal() function, which is called by both syslog() and
vsyslog(). This vulnerability was introduced in glibc 2.37 (in August
2022) by the following commit:

  https://sourceware.org/git?p=glibc.git;a=commit;h=52a5be0df411ef3ff45c10c7c308cb92993d15b1

and was also backported to glibc 2.36 because this commit was a fix for
another, minor vulnerability in __vsyslog_internal() (CVE-2022-39046, an
"uninitialized memory [read] from the heap"):

  https://sourceware.org/bugzilla/show_bug.cgi?id=29536

For example, we confirmed that Debian 12 and 13, Ubuntu 23.04 and 23.10,
and Fedora 37 to 39 are vulnerable to this buffer overflow. Furthermore,
we successfully exploited an up-to-date, default installation of Fedora
38 (on amd64): a Local Privilege Escalation, from any unprivileged user
to full root. Other distributions are probably also exploitable.

To the best of our knowledge, this vulnerability cannot be triggered
remotely in any likely scenario (because it requires an argv[0], or an
openlog() ident argument, longer than 1024 bytes to be triggered).

Last-minute note: in December 1997 Solar Designer published information
about a very similar vulnerability in the vsyslog() of the old Linux
libc (https://insecure.org/sploits/linux.libc.5.4.38.vsyslog.html).

...
Comment 10 OBSbugzilla Bot 2024-01-31 15:35:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1218863) was mentioned in
https://build.opensuse.org/request/show/1143042 Factory / glibc
Comment 13 Marcus Meissner 2024-05-13 14:40:02 UTC 
done