PT-2023-2539 · Pkgconf+3 · Pkgconf+3
Ariadne Conill
·
Publicado
2023-01-21
·
Atualizado
2025-04-02
·
CVE-2023-24056
CVSS v3.1
5.5
Média
| Vetor | AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
pkgconf versions 1.9.3 and earlier
Description
The issue is related to the
pkgconf tuple parse function in libpkgconf/tuple.c, which can cause an unbounded string expansion due to incorrect checks. This can lead to a denial of service when a specially crafted .pc file is used. For example, a .pc file containing a few hundred bytes can expand to one billion bytes.Recommendations
For versions 1.9.3 and earlier, update to a version later than 1.9.3 to resolve the issue.
As a temporary workaround, consider restricting the use of the
pkgconf tuple parse function in libpkgconf/tuple.c until a patch is available.
Avoid using variable duplication in .pc files to minimize the risk of exploitation.Exploit
Correção
Memory Corruption
Buffer Overflow
Improper Resource Release
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Debian
Red Os
Pkgconf