Bug#1069191: glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence

To: 1069191@bugs.debian.org, team@security.debian.org
Cc: team+pkg-php@tracker.debian.org, Ondřej Surý <ondrej@debian.org>, Lior Kaplan <kaplan@debian.org>
Subject: Bug#1069191: glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
From: Charlemagne Lasse <charlemagnelasse@gmail.com>
Date: Mon, 22 Apr 2024 09:31:39 +0200
Message-id: <[🔎] CAFGhKbww5mHL6n05_FWjUN-jxGnG+j-3iS8m8eC_VW-KpPHzew@mail.gmail.com>
Reply-to: Charlemagne Lasse <charlemagnelasse@gmail.com>, 1069191@bugs.debian.org
References: <[🔎] 171338033078.2283913.14396337658987272890.reportbug@eldamar.lan>

Hi,

Can this be backported to older Debian versions via the security repo?
This bug can be used to execute code when using the PHP engine:

* https://www.offensivecon.org/speakers/2024/charles-fol.html
* https://www.openwall.com/lists/oss-security/2024/04/18/4

Reply to:

References:
- Bug#1069191: glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: [Git][glibc-team/glibc] Pushed new tag debian/2.31-13+deb11u9
Next by Date: glibc_2.31-13+deb11u9_source.changes ACCEPTED into oldstable-proposed-updates->oldstable-new
Previous by thread: Bug#1069191: marked as done (glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence)
Next by thread: Bug#1069191: marked as done (glibc: GLIBC-SA-2024-0004/CVE-2024-2961: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence)
Index(es):
- Date
- Thread