Main Vulnerability Database SB2023021315

SB2023021315 - Denial of service in pkgconf

Published: February 13, 2023

Security Bulletin ID SB2023021315

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Resource management error (CVE-ID: CVE-2023-24056)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to variable duplication in libpkgconf/tuple.c:pkgconf_tuple_parse, which may cause unbounded string expansion. A remote attacker can trick the victim to open a specially crafted .pc file containing a few hundred bytes that can expand to one billion bytes, resulting in a denial of service condition.

Remediation

Install update from vendor's website.

References

https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059
https://nullprogram.com/blog/2023/01/18/