Bugzilla – Bug 1207975
VUL-1: CVE-2023-0687: glibc: gmon memory corruption due wrong calculation of required buffer size
Last modified: 2024-05-13 14:37:26 UTC
rh#2167610 A vulnerability was found in GNU C Library 2.38. This vulnerability affects the function __monstartup of the file gmon.c of the component Call Graph Monitor. The manipulation leads to buffer overflow. It is recommended to apply a patch to fix this issue. VDB-220246 is the identifier assigned to this vulnerability. https://vuldb.com/?ctiid.220246 https://sourceware.org/bugzilla/show_bug.cgi?id=29444 https://patchwork.sourceware.org/project/glibc/patch/20230204114138.5436-1-leo@yuriev.ru/ https://vuldb.com/?id.220246 References: https://bugzilla.redhat.com/show_bug.cgi?id=2167610 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0687 https://www.cve.org/CVERecord?id=CVE-2023-0687 https://vuldb.com/?id.220246 https://sourceware.org/bugzilla/show_bug.cgi?id=29444 https://vuldb.com/?ctiid.220246 https://patchwork.sourceware.org/project/glibc/patch/20230204114138.5436-1-leo@yuriev.ru/
Affected: - SUSE:SLE-11-SP3:Update - SUSE:SLE-12-SP2:Update - SUSE:SLE-12-SP4:Update - SUSE:SLE-15-SP3:Update - SUSE:SLE-15:Update - openSUSE:Factory
I am discussing the rating of this CVE with my customer. Apparently NVD rates it as high (9.8) in https://nvd.nist.gov/vuln/detail/CVE-2023-0687, but in https://suse.com/security/cve/CVE-2023-0687.html NVD score is shown as 4.6. What would the reason for this difference be ?
(In reply to Andreas Taschner from comment #2) > I am discussing the rating of this CVE with my customer. > > Apparently NVD rates it as high (9.8) in > https://nvd.nist.gov/vuln/detail/CVE-2023-0687, but in > https://suse.com/security/cve/CVE-2023-0687.html NVD score is shown as 4.6. > > What would the reason for this difference be ? Ahh - and reading further down on the NVD page VulDB has it as 4.6. I guess we go with the lowest score. Crawling back underneath my little rock.
Just to be clear, this is an issue which only happens if you compile your binary with profiling on (`-pg` option to gcc, etc.) Production binaries almost never are compiled with profiling enabled, they are almost always only used for development and testing. Ignoring the possible (but quite rare) scenario that you (inappropriately) have profiling enabled in production, this issue will never occur in production. Furthermore, by default the monstartup function is only called at startup, by the CRT process startup code. In order for an attacker to exploit this issue, the application has to offer the attacker a way to invoke that function on demand. Such a way almost never will exist, and if it does, almost surely it is a security vulnerability in its own right. As such, this is not a real vulnerability at all – or maybe a purely theoretical one, with the exception of some exceedingly rare (and insecure) configurations. I've been studying the code of this component (gmon) recently, and have become aware of other memory corruption issues beyond this one. However, given this is a component intended only for use in development, the actual security impact of those issues is marginal at best. See also upstream glibc: https://sourceware.org/bugzilla/show_bug.cgi?id=29444 – the core upstream developers are opposed to this being listed as a security vulnerability and have been trying to get it disputed/rejected. It is just that the person who discovered this bug has decided "memory corruption = security vulnerability": which may be true in general, but memory corruption issues which only occur in what are (properly) developer-only configs are somewhat of an exception to that.
SUSE-SU-2023:1718-1: An update that solves one vulnerability and has three fixes can now be installed. Category: security (moderate) Bug References: 1207571, 1207957, 1207975, 1208358 CVE References: CVE-2023-0687 Sources used: openSUSE Leap Micro 5.3 (src): glibc-2.31-150300.46.1 openSUSE Leap 15.4 (src): glibc-utils-src-2.31-150300.46.1, glibc-2.31-150300.46.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): glibc-2.31-150300.46.1 SUSE Linux Enterprise Micro 5.3 (src): glibc-2.31-150300.46.1 Basesystem Module 15-SP4 (src): glibc-2.31-150300.46.1 Development Tools Module 15-SP4 (src): glibc-utils-src-2.31-150300.46.1, glibc-2.31-150300.46.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): glibc-utils-src-2.31-150300.46.1, glibc-2.31-150300.46.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): glibc-utils-src-2.31-150300.46.1, glibc-2.31-150300.46.1 SUSE Linux Enterprise Real Time 15 SP3 (src): glibc-utils-src-2.31-150300.46.1, glibc-2.31-150300.46.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): glibc-utils-src-2.31-150300.46.1, glibc-2.31-150300.46.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): glibc-utils-src-2.31-150300.46.1, glibc-2.31-150300.46.1 SUSE Manager Proxy 4.2 (src): glibc-2.31-150300.46.1 SUSE Manager Retail Branch Server 4.2 (src): glibc-2.31-150300.46.1 SUSE Manager Server 4.2 (src): glibc-2.31-150300.46.1 SUSE Enterprise Storage 7.1 (src): glibc-utils-src-2.31-150300.46.1, glibc-2.31-150300.46.1 SUSE Linux Enterprise Micro 5.1 (src): glibc-2.31-150300.46.1 SUSE Linux Enterprise Micro 5.2 (src): glibc-2.31-150300.46.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): glibc-2.31-150300.46.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1718-2: An update that solves one vulnerability and has three fixes can now be installed. Category: security (moderate) Bug References: 1207571, 1207957, 1207975, 1208358 CVE References: CVE-2023-0687 Sources used: SUSE Linux Enterprise Micro for Rancher 5.4 (src): glibc-2.31-150300.46.1 SUSE Linux Enterprise Micro 5.4 (src): glibc-2.31-150300.46.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done