[Buildroot] [PATCH-2023.02.x] package/{glibc, localedef}: security bump to 2.36-117
Peter Korsgaard
peter at korsgaard.com
Sat Sep 30 14:20:00 UTC 2023
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> CVE-2023-4527: If the system is configured in no-aaaa mode via
> /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
> family, and a DNS response is received over TCP that is larger than
> 2048 bytes, getaddrinfo may potentially disclose stack contents via
> the returned address data, or crash.
> CVE-2023-4806: When an NSS plugin only implements the
> _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
> memory that was freed during buffer resizing, potentially causing a
> crash or read or write to arbitrary memory.
> CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
> an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
> AI_ALL and AI_V4MAPPED flags set.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2023.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list