1222037 – (CVE-2023-45927) VUL-0: CVE-2023-45927: slang: arithmetic exception via tt_sprintf()

Bug 1222037 (CVE-2023-45927) - VUL-0: CVE-2023-45927: slang: arithmetic exception via tt_sprintf()

Summary: VUL-0: CVE-2023-45927: slang: arithmetic exception via tt_sprintf()

Status:	RESOLVED WONTFIX

Alias:	CVE-2023-45927

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/399107/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-45927:5.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-03-27 09:32 UTC by SMASH SMASH
Modified:	2024-07-07 07:25 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-03-27 09:32:35 UTC

S-Lang 2.3.2 was discovered to contain an arithmetic exception via the function tt_sprintf().

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-45927
https://www.cve.org/CVERecord?id=CVE-2023-45927
http://lists.jedsoft.org/lists/slang-users/2023/0000003.html
https://seclists.org/fulldisclosure/2024/Jan/55

Comment 1 Carlos López 2024-03-27 09:42:27 UTC

Haven't attempted to reproduce, but it seems this affects all versions:
 - SUSE:SLE-11:Update/slang (LTSS only)
 - SUSE:SLE-12:Update/slang
 - SUSE:SLE-15:Update/slang
 - SUSE:ALP:Source:Standard:1.0/slang

No fix from upstream yet.

Comment 5 Jan Engelhardt 2024-07-07 07:25:15 UTC

A patch was posted on Sun, 23 Jul 2023 12:37:16 -0400
http://lists.jedsoft.org/lists/slang-users/2023/0000005.html