-------------------------------------------------------------------------
Debian LTS Advisory DLA-4084-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Andreas Henriksson
March 11, 2025 https://wiki.debian.org/LTS
-------------------------------------------------------------------------
Package : libmodbus
Version : 3.1.6-2+deb11u1
CVE ID : CVE-2022-0367 CVE-2024-10918
CVE-2024-36843 CVE-2024-36844 CVE-2024-36845
Debian Bug : 1074422
Two separate issues where identified and have now been adressed in libmodbus.
For one of the problems multiple CVE identifiers have been allocated to the
same issue and all of them are mentioned below.
CVE-2022-0367
A heap-based buffer overflow flaw was found in libmodbus in function
modbus_reply() in src/modbus.c.
CVE-2024-10918
Stack-based Buffer Overflow vulnerability in libmodbus v3.1.10 allows to
overflow the buffer allocated for the Modbus response if the function tries
to reply to a Modbus request with an unexpected length.
CVE-2024-36843
This is a duplicate of CVE-2022-0367
CVE-2024-36844
This is a duplicate of CVE-2022-0367
CVE-2024-36845
This is a duplicate of CVE-2022-0367
For Debian 11 bullseye, these problems have been fixed in version
3.1.6-2+deb11u1.
We recommend that you upgrade your libmodbus packages.
For the detailed security status of libmodbus please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libmodbus
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature