Advisories » MGASA-2023-0077

Updated pkgconf packages fix security vulnerability

Publication date: 01 Mar 2023
Modification date: 01 Mar 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2023-24056

Description

In pkgconf through 1.9.3, variable duplication can cause unbounded string
expansion due to incorrect checks in
libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing
a few hundred bytes can expand to one billion bytes. (CVE-2023-24056)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=31536
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ZWDULBZHRPQHGUXNQ3HNNHRJ3YXPJ7QH/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24056

SRPMS

8/core

• pkgconf-1.7.3-2.1.mga8