Vulnerability in glibc - CVE-2022-23219
Bug #1961117 reported by
bhs
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
glibc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Title: Vulnerability in Glibc - CVE-2022-23219
Expectation: Glibc needs to be upgraded to glib v2.35 (Feb2022 release)
Details of CVE - https:/
Description: The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka Glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.
CVE References
information type: | Private Security → Public |
To post a comment you must log in.
This issue was addressed in Ubuntu in https:/ /ubuntu. com/security/ notices/ USN-5310- 1 and https:/ /ubuntu. com/security/ notices/ USN-5310- 2 and the under development jammy/Ubuntu 22.04 LTS already has glibc 2.35 incorporated.
Please also note that Ubuntu has been building with stack-protector enabled since 2006, and thus the issue was limited to a denial of service.
Thanks.