Move CVE information into advisories directory

One of the requirements to becoming a CVE Numbering Authority (CNA) is
to publish advisories.  Do this by maintaining a file for each CVE fixed
in the advisories directory in the source tree.  Links to the advisories
can then be shared as:

https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-YYYY-NNNN

The file format at the moment is rudimentary and derives from the git
commit format, i.e. a subject line and a potentially multi-paragraph
description and then tags to describe some meta information.  This is a
loose format at the moment and could change as we evolve this.

Also add a script process-fixed-cves.sh that processes these advisories
and generates a list to add to NEWS at release time.

Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

1 files changed, 14 insertions, 0 deletions

diff --git a/advisories/GLIBC-SA-2023-0001 b/advisories/GLIBC-SA-2023-0001
new file mode 100644
index 0000000000..12b4f8edb8
--- /dev/null
+++ b/advisories/GLIBC-SA-2023-0001
@@ -0,0 +1,14 @@
+printf: incorrect output for integers with thousands separator and width field
+
+When the printf family of functions is called with a format specifier
+that uses an <apostrophe> (enable grouping) and a minimum width
+specifier, the resulting output could be larger than reasonably expected
+by a caller that computed a tight bound on the buffer size.  The
+resulting larger than expected output could result in a buffer overflow
+in the printf family of functions.
+
+CVE-Id: CVE-2023-25139
+Public-Date: 2023-02-02
+Vulnerable-Commit: e88b9f0e5cc50cab57a299dc7efe1a4eb385161d (2.37)
+Fix-Commit: c980549cc6a1c03c23cc2fe3e7b0fe626a0364b0 (2.38)
+Fix-Backport: 07b9521fc6369d000216b96562ff7c0ed32a16c4 (2.37)