The GNU C Library security advisories update for 2024-02-30

Adhemerval Zanella Netto
Tue Jan 30 18:23:49 GMT 2024

The following security advisories have been published:

syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6246)

__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER
containing a long program name failed to update the required buffer
size, leading to the allocation and overflow of a too-small buffer on
the heap.

syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6779)

__vsyslog_internal used the return value of snprintf/vsnprintf to
calculate buffer sizes for memory allocation.  If these functions (for
any reason) failed and returned -1, the resulting buffer would be too
small to hold output.

syslog: Integer overflow in __vsyslog_internal (CVE-2023-6780)

__vsyslog_internal calculated a buffer size by adding two integers, but
did not first check if the addition would overflow.


Published advisories are available directly in the project git repository:;a=tree;f=advisories;hb=HEAD

More information about the Libc-announce mailing list