public inbox for
help / color / mirror / Atom feed
* [glibc/release/2.37/master] NEWS: Document CVE-2023-25139.
@ 2023-02-08  1:12 Carlos O'Donell
  0 siblings, 0 replies; only message in thread
From: Carlos O'Donell @ 2023-02-08  1:12 UTC (permalink / raw)
  To: glibc-cvs;h=6fe86ecd787a2624cd638131629ba9a824040308

commit 6fe86ecd787a2624cd638131629ba9a824040308
Author: Carlos O'Donell <>
Date:   Mon Feb 6 10:36:32 2023 -0500

    NEWS: Document CVE-2023-25139.
    Reviewed-by: Siddhesh Poyarekar <>
    (cherry picked from commit 67c37737ed474d25fd4dc535dfd822c426e6b971)

 NEWS | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/NEWS b/NEWS
index 4da140db31..7ba8846fcc 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,15 @@ using `glibc' in the "product" field.
 Version 2.37.1
+Security related changes:
+  CVE-2023-25139: When the printf family of functions is called with a
+  format specifier that uses an <apostrophe> (enable grouping) and a
+  minimum width specifier, the resulting output could be larger than
+  reasonably expected by a caller that computed a tight bound on the
+  buffer size.  The resulting larger than expected output could result
+  in a buffer overflow in the printf family of functions.
 The following bugs are resolved with this release:
   [30053] time: strftime %s returns -1 after 2038 on 32 bits systems

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-02-08  1:12 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-08  1:12 [glibc/release/2.37/master] NEWS: Document CVE-2023-25139 Carlos O'Donell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).