Privilege escalation vulnerability glibc

[Driesp]

Hi all

This is a heads up, because I don't know there are patches ready.

There is another glibc vulnerability. Multiple distro's are affected.
The flaw is serious, so we should update when a new glibc version comes out.

More info here:

CVE-2023-6246 : A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called

CVE-2023-6246 : A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program...

www.cvedetails.com

Kind regards
Dries

 

[Richard G]

Seems Centos 7 and Alma 8 and 9 are not affected as they all have lower Glibc versions.
So if I understand correctly this is only for Debian/Ubuntu and Fedora, maybe also Centos Stream with newer glibc versions.

 

[Driesp]

Seems Centos 7 and Alma 8 and 9 are not affected as they all have lower Glibc versions.
So if I understand correctly this is only for Debian/Ubuntu and Fedora, maybe also Centos Stream with newer glibc versions.

Thanks, thats good news. I was not sure about this. I run primarly rocky 8 and 9.

 

[Richard G]

You can check for yourself.
Use this command:
ldd --version
it's a little L or just copy and paste the command.

In Alma 9.3 it will give this output:

root@server#ldd --version
ldd (GNU libc) 2.34

so it's not 2.36 or newer.

 

[ericosman]

Alma 8.9
ldd (GNU libc) 2.28

 

[Richard G]

Yep, I didn't mention it because Alma 8 is older and so logically has an older Glibc, as does Centos 7.

 

[ccto]

EL 7, 8, 9 are not affected , according to redhat.com
(RockyLinux / AlmaLinux shall probably share the same version of glibc)

ref.: https://access.redhat.com/security/cve/cve-2023-6246

 

[gate2vn]

Debian fixed it.