NEWS: Document CVE-2023-25139.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
author: Carlos O'Donell <carlos@redhat.com> 2023-02-06 10:36:32 -0500
committer: Carlos O'Donell <carlos@redhat.com> 2023-02-07 15:19:39 -0500
commit: 67c37737ed474d25fd4dc535dfd822c426e6b971 (patch)
tree: ebd85749241a2c0252ebb2220905c5ee04d00081 /NEWS
parent: 41349f6f67c83e7bafe49f985b56493d2c4c9c77 (diff)
download: glibc-67c37737ed474d25fd4dc535dfd822c426e6b971.tar.gz
glibc-67c37737ed474d25fd4dc535dfd822c426e6b971.tar.xz
glibc-67c37737ed474d25fd4dc535dfd822c426e6b971.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index b227e72c9c..a7979a9cd3 100644
--- a/NEWS
+++ b/NEWS
@@ -21,7 +21,12 @@ Changes to build and runtime requirements:
 
 Security related changes:
 
-  [Add security related changes here]
+  CVE-2023-25139: When the printf family of functions is called with a
+  format specifier that uses an <apostrophe> (enable grouping) and a
+  minimum width specifier, the resulting output could be larger than
+  reasonably expected by a caller that computed a tight bound on the
+  buffer size.  The resulting larger than expected output could result
+  in a buffer overflow in the printf family of functions.
 
 The following bugs are resolved with this release:
author	Carlos O'Donell <carlos@redhat.com>	2023-02-06 10:36:32 -0500
committer	Carlos O'Donell <carlos@redhat.com>	2023-02-07 15:19:39 -0500
commit	67c37737ed474d25fd4dc535dfd822c426e6b971 (patch)
tree	ebd85749241a2c0252ebb2220905c5ee04d00081 /NEWS
parent	41349f6f67c83e7bafe49f985b56493d2c4c9c77 (diff)
download	glibc-67c37737ed474d25fd4dc535dfd822c426e6b971.tar.gz glibc-67c37737ed474d25fd4dc535dfd822c426e6b971.tar.xz glibc-67c37737ed474d25fd4dc535dfd822c426e6b971.zip