22:15:16[2024-01-30T22:15:16.049Z] Handling message: [agent:pfrankli, update:[autokarma:true, autotime:true, stable_karma:3, stable_days:14, unstable_karma:-3, requirements:, require_bugs:false, require_testcases:false, display_name:, notes:Security fix for CVE-2023-6246, CVE-2023-6779, and CVE-2023-6780.
22:15:16[2024-01-30T22:15:16.049Z]22:15:16[2024-01-30T22:15:16.049Z] CVE-2023-6246: __vsyslog_internal did not handle a case where printing a SYSLOG_HEADER
22:15:16[2024-01-30T22:15:16.049Z] containing a long program name failed to update the required buffer
22:15:16[2024-01-30T22:15:16.049Z] size, leading to the allocation and overflow of a too-small buffer on
22:15:16[2024-01-30T22:15:16.049Z] the heap.
22:15:16[2024-01-30T22:15:16.049Z]22:15:16[2024-01-30T22:15:16.049Z] CVE-2023-6779: __vsyslog_internal used the return value of snprintf/vsnprintf to
22:15:16[2024-01-30T22:15:16.049Z] calculate buffer sizes for memory allocation. If these functions (for
22:15:16[2024-01-30T22:15:16.049Z] any reason) failed and returned -1, the resulting buffer would be too
22:15:16[2024-01-30T22:15:16.049Z] small to hold output.
22:15:16[2024-01-30T22:15:16.049Z]22:15:16[2024-01-30T22:15:16.049Z] CVE-2023-6780: __vsyslog_internal calculated a buffer size by adding two integers, but
22:15:16[2024-01-30T22:15:16.049Z] did not first check if the addition would overflow.
22:15:16[2024-01-30T22:15:16.049Z] , type:security, status:pending, request:testing, severity:high, suggest:reboot, locked:false, pushed:false, critpath:true, critpath_groups:core critical-path-anaconda critical-path-apps critical-path-base critical-path-build critical-path-compose critical-path-deepin-desktop critical-path-gnome critical-path-kde critical-path-lxde critical-path-lxqt critical-path-server critical-path-standard critical-path-xfce, close_bugs:true, date_submitted:2024-01-30 22:14:46, date_modified:null, date_approved:null, date_testing:null, date_stable:null, alias:FEDORA-2024-aec80d6e8a, test_gating_status:null, from_tag:null, date_pushed:null, meets_testing_requirements:false, url:https://bodhi.fedoraproject.org/updates/FEDORA-2024-aec80d6e8a, title:glibc-2.38-16.fc39, version_hash:bd30d9f9ab2af7be149ec169a6d45da34b1e94ad, release:[name:F39, long_name:Fedora 39, version:39, id_prefix:FEDORA, branch:f39, dist_tag:f39, stable_tag:f39-updates, testing_tag:f39-updates-testing, candidate_tag:f39-updates-candidate, pending_signing_tag:f39-signing-pending, pending_testing_tag:f39-updates-testing-pending, pending_stable_tag:f39-updates-pending, override_tag:f39-override, mail_template:fedora_errata_template, state:current, composed_by_bodhi:true, create_automatic_updates:false, package_manager:dnf, testing_repository:updates-testing, eol:2024-11-12], compose:null, comments:[[id:3369204, karma:0, karma_critpath:0, text:This update has been submitted for testing by pfrankli. , timestamp:2024-01-30 22:14:46, update_id:581933, user_id:91, bug_feedback:[], testcase_feedback:[], user:[id:91, name:bodhi, email:null, avatar:null, openid:null, groups:[]]]], builds:[[nvr:glibc-2.38-16.fc39, signed:false, release_id:70, type:rpm, epoch:0]], bugs:[[bug_id:2249053, title:CVE-2023-6246 glibc: heap-based buffer overflow in __vsyslog_internal(), security:true, parent:true, feedback:[]], [bug_id:2254395, title:CVE-2023-6779 glibc: off-by-one heap-based buffer overflow in __vsyslog_internal(), security:true, parent:true, feedback:[]], [bug_id:2254396, title:CVE-2023-6780 glibc: integer overflow in __vsyslog_internal(), security:true, parent:true, feedback:[]]], user:[id:1006, name:pfrankli, email:pfrankli@redhat.com, avatar:null, openid:null, groups:[[name:packager], [name:ipausers], [name:fedora-contributor], [name:signed_fpca], [name:fedorabugs]]], updateid:FEDORA-2024-aec80d6e8a, karma:0, content_type:rpm, test_cases:[]]]
![[Jenkins]](/static/8398155c/images/svgs/logo.svg){kind=logo}
