diff options
author | Carlos O'Donell <carlos@redhat.com> | 2023-02-06 10:36:32 -0500 |
---|---|---|
committer | Carlos O'Donell <carlos@redhat.com> | 2023-02-07 18:24:41 -0500 |
commit | 6fe86ecd787a2624cd638131629ba9a824040308 (patch) | |
tree | c4b30d906d2811c69314353240437046d94bc123 | |
parent | 07b9521fc6369d000216b96562ff7c0ed32a16c4 (diff) | |
download | glibc-6fe86ecd787a2624cd638131629ba9a824040308.tar.gz glibc-6fe86ecd787a2624cd638131629ba9a824040308.tar.xz glibc-6fe86ecd787a2624cd638131629ba9a824040308.zip |
NEWS: Document CVE-2023-25139.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit 67c37737ed474d25fd4dc535dfd822c426e6b971)
-rw-r--r-- | NEWS | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/NEWS b/NEWS index 4da140db31..7ba8846fcc 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,15 @@ using `glibc' in the "product" field. Version 2.37.1 +Security related changes: + + CVE-2023-25139: When the printf family of functions is called with a + format specifier that uses an <apostrophe> (enable grouping) and a + minimum width specifier, the resulting output could be larger than + reasonably expected by a caller that computed a tight bound on the + buffer size. The resulting larger than expected output could result + in a buffer overflow in the printf family of functions. + The following bugs are resolved with this release: [30053] time: strftime %s returns -1 after 2038 on 32 bits systems |