ALT-PU-2024-2632-1

BDU:2023-06269

HIGH7.8

Уязвимость динамического загрузчика ld.so библиотеки glibc, позволяющая нарушителю выполнить произвольный код c повышенными привилегиями

Published: 2023-10-04Modified: 2024-09-24

CVSS 3.xHIGH 7.8

CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:L/AC:L/Au:S/C:C/I:C/A:C

References

CVE-2023-4911

BDU:2023-06332

MEDIUM6.5

Уязвимость функции getaddrinfo системной библиотеки glibc, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-10-05Modified: 2024-09-13

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

CVSS 2.0MEDIUM 6.1

CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:N/A:C

References

CVE-2023-4527

BDU:2023-07710

HIGH7.5

Уязвимость системной библиотеки GNU C Library, связанная с неправильным освобождением памяти перед удалением последней ссылки, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-11-13Modified: 2024-03-21

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2023-5156

BDU:2024-00852

MEDIUM5.9

Уязвимость функции getaddrinfo библиотеки GNU C (glibc), позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-01-31Modified: 2025-03-05

CVSS 3.xMEDIUM 5.9

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 5.4

CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:N/A:C

References

CVE-2023-4806

BDU:2024-00871

HIGH7.3

Уязвимость функции vsyslog_internal библиотеки glibc, позволяющая нарушителю повысить свои привилегии до уровня root-пользователя

Published: 2024-01-31Modified: 2024-09-16

CVSS 3.xHIGH 7.3

CVSS:3.x/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:L/AC:L/Au:S/C:C/I:C/A:C

References

CVE-2023-6246

BDU:2024-01234

CRITICAL9.8

Уязвимость функции __vsyslog_internal системной библиотеки GNU C Library, связанная с неверным расчетом размера буфера, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2024-02-14Modified: 2024-09-16

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2023-6780

BDU:2024-01235

HIGH7.5

Уязвимость функции __vsyslog_internal библиотеки glibc, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2024-02-14Modified: 2024-09-16

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C

References

CVE-2023-6779

CVE-2023-4527

MEDIUM6.5

A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.

Published: 2023-09-18Modified: 2025-06-24

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

References

CVE-2023-4806

MEDIUM5.9

A flaw has been identified in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss__gethostbyname2_r and _nss__getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.

Published: 2023-09-18Modified: 2025-09-26

CVSS 3.xMEDIUM 5.9

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2023-4911

HIGH7.8

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Published: 2023-10-03Modified: 2026-02-13

CVSS 3.xHIGH 7.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2023-5156

HIGH7.5

A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.

Published: 2023-09-25Modified: 2024-11-21

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2023-6246

HIGH7.8

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

Published: 2024-01-31Modified: 2024-11-21

CVSS 3.xHIGH 7.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

CVE-2023-6779

HIGH7.5

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.

Published: 2024-01-31Modified: 2024-11-21

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2023-6780

MEDIUM5.3

An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.

Published: 2024-01-31Modified: 2025-02-07

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

Package update glibc in branch sisyphus_riscv64

Closed issues (14)

Уязвимость динамического загрузчика ld.so библиотеки glibc, позволяющая нарушителю выполнить произвольный код c повышенными привилегиями

Уязвимость функции getaddrinfo системной библиотеки glibc, позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции getaddrinfo библиотеки GNU C (glibc), позволяющая нарушителю вызвать отказ в обслуживании

Уязвимость функции vsyslog_internal библиотеки glibc, позволяющая нарушителю повысить свои привилегии до уровня root-пользователя

Уязвимость функции __vsyslog_internal библиотеки glibc, позволяющая нарушителю вызвать отказ в обслуживании

A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash.