Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp529181lqd; Wed, 24 Apr 2024 09:14:28 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVUYz5DL7Y8YxoaeKiSgcAeBKEEWi2DpUCBmFr5BehkOpeYilOqHstuGAhNNQ5EM5WCePZ1i4O226nD1M8TQzUxtY/c9YGc0FHUBX/Y2w== X-Google-Smtp-Source: AGHT+IEkopKhrS6tEP9u+GAS9SKIlJXUYEW/2r/IXEfTwkQZ4Bbckp8n8kTuiR8Br0nB5v6eFYYP X-Received: by 2002:a17:906:dd2:b0:a51:9911:eba8 with SMTP id p18-20020a1709060dd200b00a519911eba8mr1882657eji.4.1713975268202; Wed, 24 Apr 2024 09:14:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713975268; cv=none; d=google.com; s=arc-20160816; b=mwAAJ6yMk+N7a/xcWIAFmekzeJ3+t7BFYQlyCOobgsalXFsW80MTxDz20FA40Me0KQ fzU+Vunv+py/1GlAECiUZSWaBB+lrnHY0qP7vlD0v5qqtJiKRbSblMf9nbrJ+mpmXumh argAZSx7ObakzljDxQPM+PIcrf18b7ig5pG6K+1yEaVr3+gY7OWUDBAfybvqdsqb9vvL Wgjc07r9cimRxABPUOB5jec9sGjlgS55ROv1ZfFlhFT25Fm0VZFf36s5xSRTYujaU5xF cHfMRnx9MYKh7kv4zt6GFwsSJMYPB3wXm44apAp2/wJIYA598l/IZYeGibbtZUJn8chj GKJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:mime-version:user-agent:message-id:date:references :in-reply-to:to:from:dkim-signature:delivered-to:reply-to:list-id :list-subscribe:list-unsubscribe:list-help:list-post:precedence :mailing-list; bh=AYxG3a58USbEQv50AK9QHLm0dlZe4ako9GmLUcGnyPw=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=bUPyrdXq9U+plIeiRuhJPA20MyfAGvpQvgMbUKfW/FAKUu6kti3TQjY4XbxLlp3wF8 nN9ZUOP2oio9g4K0vvu5m9EdhWAhO9mZnmDrjzBW4KCRn89iueYROqhR+k2tNPRUValg fhU+bnhLmsLX/0oPeUKJoM56EuukHEZgHygGHKUhfq308PxidCswJsycZzqIMCQXoVGz SmMp5XbiPGZiR/sDoSsGIyTW02OTZt/TBGHn1OrU9bSJMl+0gXJ+7tjOBFwt10CAhoQa j7i0l+ZR5ZhdUMfortTxyrdsSm4eyLoh7TGuLBMm665i4wf+4LGRxamo+6j5zjiDqzth Hl+w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@redhat.com header.s=mimecast20190719 header.b="BFYgS1/P"; spf=pass (google.com: domain of oss-security-return-30080-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30080-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id g14-20020a1709061c8e00b00a51d4a1468asi8306645ejh.225.2024.04.24.09.14.28 for ; Wed, 24 Apr 2024 09:14:28 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30080-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@redhat.com header.s=mimecast20190719 header.b="BFYgS1/P"; spf=pass (google.com: domain of oss-security-return-30080-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30080-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (qmail 19494 invoked by uid 550); 24 Apr 2024 16:14:10 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 19473 invoked from network); 24 Apr 2024 16:14:09 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1713975241; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=AYxG3a58USbEQv50AK9QHLm0dlZe4ako9GmLUcGnyPw=; b=BFYgS1/P9ZKfcAY4oOEikQ+96sGtoEgD3uafiToXTPsaCRMSgaMqR8dDsJ/Eco/2Jb27MA rg+Dv+FV0jchResgnXzWoQFaNp7boPhtC3bh9/lUARdClFCifrIcTYngl1m/ZkF+0pI8ZD GZ+oMMRZ83KNHY+A5/DQQzgcMWAeuTw= X-MC-Unique: COj03rfhPQGhZI9z2fcpow-1 From: Florian Weimer To: oss-security@lists.openwall.com In-Reply-To: <23c15272-d797-4c3c-bbfb-e462c900978f@gmail.com> (Adhemerval Zanella Netto's message of "Wed, 17 Apr 2024 14:36:02 -0300") References: <23c15272-d797-4c3c-bbfb-e462c900978f@gmail.com> Date: Wed, 24 Apr 2024 18:13:56 +0200 Message-ID: <871q6u91rv.fsf@oldenburg.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain Subject: Re: [oss-security] The GNU C Library security advisories update for 2024-04-17: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence * Adhemerval Zanella Netto: > The following security advisories have been published: > > GLIBC-SA-2024-0004: > =================== > ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence For those who haven't prepared/shipped updates yet: we've got a fix for a stack-based buffer overflow in nscd under review. [PATCH 0/4] Various nscd security fixes These are initial patches, still under review. The glibc security team will send a separate notification once official patches are ready. The initial issue was reported in Bugzilla without an embargo period, hence the public patch development. The other bugs concern the same code and are very minor compared to the initial finding, so a separate embargo for them doesn't make sense. Thanks, Florian