From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 2191) id DD5DD385840C; Tue, 7 Feb 2023 20:20:57 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DD5DD385840C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1675801257; bh=yK7GDlYb/LjfeSn5BonGeB5Z0hBB0IabcoPcqbBswVw=; h=From:To:Subject:Date:From; b=RDfKTS2LXJ9anHdfavKaz32CVQmfrIPYzYmY/oyz0pkPKm3Mh/cFhiB0MA3bgalWi 7iNDH2Ls0zbqMjpzWaHbteSPW/0X+zweVPBSK8BBcLmP337ydCZsuk05Dqg6xROm/z gaO/vPGPulmpaAYP1TfiF89fyz07dha1mf+dJJO4= Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Carlos O'Donell To: glibc-cvs@sourceware.org Subject: [glibc] NEWS: Document CVE-2023-25139. X-Act-Checkin: glibc X-Git-Author: Carlos O'Donell X-Git-Refname: refs/heads/master X-Git-Oldrev: 41349f6f67c83e7bafe49f985b56493d2c4c9c77 X-Git-Newrev: 67c37737ed474d25fd4dc535dfd822c426e6b971 Message-Id: <20230207202057.DD5DD385840C@sourceware.org> Date: Tue, 7 Feb 2023 20:20:57 +0000 (GMT) List-Id: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=67c37737ed474d25fd4dc535dfd822c426e6b971 commit 67c37737ed474d25fd4dc535dfd822c426e6b971 Author: Carlos O'Donell Date: Mon Feb 6 10:36:32 2023 -0500 NEWS: Document CVE-2023-25139. Reviewed-by: Siddhesh Poyarekar Diff: --- NEWS | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index b227e72c9c..a7979a9cd3 100644 --- a/NEWS +++ b/NEWS @@ -21,7 +21,12 @@ Changes to build and runtime requirements: Security related changes: - [Add security related changes here] + CVE-2023-25139: When the printf family of functions is called with a + format specifier that uses an (enable grouping) and a + minimum width specifier, the resulting output could be larger than + reasonably expected by a caller that computed a tight bound on the + buffer size. The resulting larger than expected output could result + in a buffer overflow in the printf family of functions. The following bugs are resolved with this release: