public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed
* [PATCH] NEWS: Document CVE-2023-25139.
@ 2023-02-06 15:36 Carlos O'Donell
  2023-02-06 18:36 ` Siddhesh Poyarekar
  0 siblings, 1 reply; 3+ messages in thread
From: Carlos O'Donell @ 2023-02-06 15:36 UTC (permalink / raw)
  To: libc-alpha, siddhesh; +Cc: Carlos O'Donell

---
 NEWS | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index b227e72c9c..a7979a9cd3 100644
--- a/NEWS
+++ b/NEWS
@@ -21,7 +21,12 @@ Changes to build and runtime requirements:
 
 Security related changes:
 
-  [Add security related changes here]
+  CVE-2023-25139: When the printf family of functions is called with a
+  format specifier that uses an <apostrophe> (enable grouping) and a
+  minimum width specifier, the resulting output could be larger than
+  reasonably expected by a caller that computed a tight bound on the
+  buffer size.  The resulting larger than expected output could result
+  in a buffer overflow in the printf family of functions.
 
 The following bugs are resolved with this release:
 
-- 
2.39.1


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-02-07 23:39 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-06 15:36 [PATCH] NEWS: Document CVE-2023-25139 Carlos O'Donell
2023-02-06 18:36 ` Siddhesh Poyarekar
2023-02-07 23:39   ` Carlos O'Donell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).