SUSE update for gcc13

Published: 2023-11-20

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2023-4039
CWE-ID	CWE-254
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Toolchain Module Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 12 Operating systems & Components / Operating system SUSE Linux Enterprise Server 12 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 12 Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications Operating systems & Components / Operating system SUSE Linux Enterprise Server Operating systems & Components / Operating system libquadmath0-debuginfo Operating systems & Components / Operating system package or component libgomp1-32bit Operating systems & Components / Operating system package or component libgfortran5-32bit Operating systems & Components / Operating system package or component libquadmath0-32bit-debuginfo Operating systems & Components / Operating system package or component libgcc_s1-32bit Operating systems & Components / Operating system package or component libstdc++6-pp-32bit Operating systems & Components / Operating system package or component libubsan1-32bit Operating systems & Components / Operating system package or component libobjc4-32bit-debuginfo Operating systems & Components / Operating system package or component libgcc_s1-32bit-debuginfo Operating systems & Components / Operating system package or component libobjc4-32bit Operating systems & Components / Operating system package or component libatomic1-32bit Operating systems & Components / Operating system package or component libstdc++6-32bit-debuginfo Operating systems & Components / Operating system package or component libitm1-32bit Operating systems & Components / Operating system package or component libubsan1-32bit-debuginfo Operating systems & Components / Operating system package or component libitm1-32bit-debuginfo Operating systems & Components / Operating system package or component libatomic1-32bit-debuginfo Operating systems & Components / Operating system package or component libasan8-32bit Operating systems & Components / Operating system package or component libquadmath0-32bit Operating systems & Components / Operating system package or component libquadmath0 Operating systems & Components / Operating system package or component libasan8-32bit-debuginfo Operating systems & Components / Operating system package or component libgomp1-32bit-debuginfo Operating systems & Components / Operating system package or component libstdc++6-32bit Operating systems & Components / Operating system package or component libgfortran5-32bit-debuginfo Operating systems & Components / Operating system package or component libstdc++6-locale Operating systems & Components / Operating system package or component libstdc++6-debuginfo Operating systems & Components / Operating system package or component libtsan2-debuginfo Operating systems & Components / Operating system package or component libgcc_s1-debuginfo Operating systems & Components / Operating system package or component libgcc_s1 Operating systems & Components / Operating system package or component libstdc++6 Operating systems & Components / Operating system package or component libgfortran5-debuginfo Operating systems & Components / Operating system package or component libhwasan0 Operating systems & Components / Operating system package or component libatomic1 Operating systems & Components / Operating system package or component libgomp1 Operating systems & Components / Operating system package or component libgomp1-debuginfo Operating systems & Components / Operating system package or component libitm1 Operating systems & Components / Operating system package or component libasan8-debuginfo Operating systems & Components / Operating system package or component libubsan1 Operating systems & Components / Operating system package or component libubsan1-debuginfo Operating systems & Components / Operating system package or component libobjc4-debuginfo Operating systems & Components / Operating system package or component libhwasan0-debuginfo Operating systems & Components / Operating system package or component liblsan0 Operating systems & Components / Operating system package or component libasan8 Operating systems & Components / Operating system package or component libtsan2 Operating systems & Components / Operating system package or component liblsan0-debuginfo Operating systems & Components / Operating system package or component libobjc4 Operating systems & Components / Operating system package or component libgfortran5 Operating systems & Components / Operating system package or component libitm1-debuginfo Operating systems & Components / Operating system package or component libatomic1-debuginfo Operating systems & Components / Operating system package or component libstdc++6-pp Operating systems & Components / Operating system package or component cross-nvptx-gcc13-debuginfo Operating systems & Components / Operating system package or component cross-nvptx-gcc13-debugsource Operating systems & Components / Operating system package or component cross-nvptx-gcc13 Operating systems & Components / Operating system package or component cross-nvptx-newlib13-devel Operating systems & Components / Operating system package or component libstdc++6-devel-gcc13-32bit Operating systems & Components / Operating system package or component gcc13-fortran-32bit Operating systems & Components / Operating system package or component gcc13-32bit Operating systems & Components / Operating system package or component gcc13-c++-32bit Operating systems & Components / Operating system package or component gcc13-info Operating systems & Components / Operating system package or component cpp13 Operating systems & Components / Operating system package or component gcc13-debugsource Operating systems & Components / Operating system package or component gcc13-c++ Operating systems & Components / Operating system package or component gcc13-fortran-debuginfo Operating systems & Components / Operating system package or component cpp13-debuginfo Operating systems & Components / Operating system package or component libstdc++6-devel-gcc13 Operating systems & Components / Operating system package or component gcc13-c++-debuginfo Operating systems & Components / Operating system package or component gcc13-debuginfo Operating systems & Components / Operating system package or component gcc13-fortran Operating systems & Components / Operating system package or component gcc13 Operating systems & Components / Operating system package or component gcc13-locale Operating systems & Components / Operating system package or component gcc13-PIE Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Security features bypass

EUVDB-ID: #VU81045

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4039

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the GCC's stack smashing protection does not detect or defend against overflows of dynamically-sized local variables on AArch64 targets. A remote attacker can bypass expected security restrictions and successfully exploit buffer overflow vulnerabilities.

Mitigation

Update the affected package gcc13 to the latest version.

Vulnerable software versions

Toolchain Module: 12

SUSE Linux Enterprise Server for SAP Applications 12: SP1 - SP5

SUSE Linux Enterprise Server 12: SP1 - SP5

SUSE Linux Enterprise High Performance Computing 12: SP2 - SP5

SUSE Linux Enterprise Server for SAP Applications: 12-SP4

SUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON

libquadmath0-debuginfo: before 13.2.1+git7813-1.10.1

libgomp1-32bit: before 13.2.1+git7813-1.10.1

libgfortran5-32bit: before 13.2.1+git7813-1.10.1

libquadmath0-32bit-debuginfo: before 13.2.1+git7813-1.10.1

libgcc_s1-32bit: before 13.2.1+git7813-1.10.1

libstdc++6-pp-32bit: before 13.2.1+git7813-1.10.1

libubsan1-32bit: before 13.2.1+git7813-1.10.1

libobjc4-32bit-debuginfo: before 13.2.1+git7813-1.10.1

libgcc_s1-32bit-debuginfo: before 13.2.1+git7813-1.10.1

libobjc4-32bit: before 13.2.1+git7813-1.10.1

libatomic1-32bit: before 13.2.1+git7813-1.10.1

libstdc++6-32bit-debuginfo: before 13.2.1+git7813-1.10.1

libitm1-32bit: before 13.2.1+git7813-1.10.1

libubsan1-32bit-debuginfo: before 13.2.1+git7813-1.10.1

libitm1-32bit-debuginfo: before 13.2.1+git7813-1.10.1

libatomic1-32bit-debuginfo: before 13.2.1+git7813-1.10.1

libasan8-32bit: before 13.2.1+git7813-1.10.1

libquadmath0-32bit: before 13.2.1+git7813-1.10.1

libquadmath0: before 13.2.1+git7813-1.10.1

libasan8-32bit-debuginfo: before 13.2.1+git7813-1.10.1

libgomp1-32bit-debuginfo: before 13.2.1+git7813-1.10.1

libstdc++6-32bit: before 13.2.1+git7813-1.10.1

libgfortran5-32bit-debuginfo: before 13.2.1+git7813-1.10.1

libstdc++6-locale: before 13.2.1+git7813-1.10.1

libstdc++6-debuginfo: before 13.2.1+git7813-1.10.1

libtsan2-debuginfo: before 13.2.1+git7813-1.10.1

libgcc_s1-debuginfo: before 13.2.1+git7813-1.10.1

libgcc_s1: before 13.2.1+git7813-1.10.1

libstdc++6: before 13.2.1+git7813-1.10.1

libgfortran5-debuginfo: before 13.2.1+git7813-1.10.1

libhwasan0: before 13.2.1+git7813-1.10.1

libatomic1: before 13.2.1+git7813-1.10.1

libgomp1: before 13.2.1+git7813-1.10.1

libgomp1-debuginfo: before 13.2.1+git7813-1.10.1

libitm1: before 13.2.1+git7813-1.10.1

libasan8-debuginfo: before 13.2.1+git7813-1.10.1

libubsan1: before 13.2.1+git7813-1.10.1

libubsan1-debuginfo: before 13.2.1+git7813-1.10.1

libobjc4-debuginfo: before 13.2.1+git7813-1.10.1

libhwasan0-debuginfo: before 13.2.1+git7813-1.10.1

liblsan0: before 13.2.1+git7813-1.10.1

libasan8: before 13.2.1+git7813-1.10.1

libtsan2: before 13.2.1+git7813-1.10.1

liblsan0-debuginfo: before 13.2.1+git7813-1.10.1

libobjc4: before 13.2.1+git7813-1.10.1

libgfortran5: before 13.2.1+git7813-1.10.1

libitm1-debuginfo: before 13.2.1+git7813-1.10.1

libatomic1-debuginfo: before 13.2.1+git7813-1.10.1

libstdc++6-pp: before 13.2.1+git7813-1.10.1

cross-nvptx-gcc13-debuginfo: before 13.2.1+git7813-1.10.1

cross-nvptx-gcc13-debugsource: before 13.2.1+git7813-1.10.1

cross-nvptx-gcc13: before 13.2.1+git7813-1.10.1

cross-nvptx-newlib13-devel: before 13.2.1+git7813-1.10.1

libstdc++6-devel-gcc13-32bit: before 13.2.1+git7813-1.10.1

gcc13-fortran-32bit: before 13.2.1+git7813-1.10.1

gcc13-32bit: before 13.2.1+git7813-1.10.1

gcc13-c++-32bit: before 13.2.1+git7813-1.10.1

gcc13-info: before 13.2.1+git7813-1.10.1

cpp13: before 13.2.1+git7813-1.10.1

gcc13-debugsource: before 13.2.1+git7813-1.10.1

gcc13-c++: before 13.2.1+git7813-1.10.1

gcc13-fortran-debuginfo: before 13.2.1+git7813-1.10.1

cpp13-debuginfo: before 13.2.1+git7813-1.10.1

libstdc++6-devel-gcc13: before 13.2.1+git7813-1.10.1

gcc13-c++-debuginfo: before 13.2.1+git7813-1.10.1

gcc13-debuginfo: before 13.2.1+git7813-1.10.1

gcc13-fortran: before 13.2.1+git7813-1.10.1

gcc13: before 13.2.1+git7813-1.10.1

gcc13-locale: before 13.2.1+git7813-1.10.1

gcc13-PIE: before 13.2.1+git7813-1.10.1

External links

http://www.suse.com/support/update/announcement/2023/suse-su-20234480-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.