From patchwork Mon Feb  6 15:36:32 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Carlos O'Donell <carlos@redhat.com>
X-Patchwork-Id: 1738238
Return-Path: <libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org
 (client-ip=2620:52:3:1:0:246e:9693:128c; helo=sourceware.org;
 envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org;
 receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (1024-bit key;
 secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256
 header.s=default header.b=eXN4kaaO;
	dkim-atps=neutral
Received: from sourceware.org (server2.sourceware.org
 [IPv6:2620:52:3:1:0:246e:9693:128c])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4P9VkC4BgRz23r4
	for <incoming@patchwork.ozlabs.org>; Tue,  7 Feb 2023 02:37:07 +1100 (AEDT)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id F27AE385840F
	for <incoming@patchwork.ozlabs.org>; Mon,  6 Feb 2023 15:37:04 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org F27AE385840F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1675697825;
	bh=dIZNVXsTAZpxm8erk7QkvxB2fEfE6LeOq26oXP8U8UA=;
	h=To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe:From:Reply-To:From;
	b=eXN4kaaO4URyAwK9Scsfm//ZqSxdNdww1dYhn30DxuYm7gU6wnY/1mbb7LwJTtpOF
	 L731Ruy9X/0kfIch1CxeyswIshRoOnSFrCDivO6HGgKAVAPymrWRlyPjSNEYBizSmz
	 7JdU0evs37pZAGZsWvJT4EE13JA+JmoOLmr4q8no=
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by sourceware.org (Postfix) with ESMTPS id 3E9EA3858D1E
 for <libc-alpha@sourceware.org>; Mon,  6 Feb 2023 15:36:49 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 3E9EA3858D1E
Received: from mail-il1-f198.google.com (mail-il1-f198.google.com
 [209.85.166.198]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id
 us-mta-151-ZMZlaMOYN6iJ13LEMNpSEg-1; Mon, 06 Feb 2023 10:36:47 -0500
X-MC-Unique: ZMZlaMOYN6iJ13LEMNpSEg-1
Received: by mail-il1-f198.google.com with SMTP id
 h4-20020a056e021d8400b00313b9dcdd96so3428843ila.18
 for <libc-alpha@sourceware.org>; Mon, 06 Feb 2023 07:36:47 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=dIZNVXsTAZpxm8erk7QkvxB2fEfE6LeOq26oXP8U8UA=;
 b=HXiYwmuwYECcT8D7jXu65zjAwlYCL/M/MvXUbTO8IMHoCsfG8iH1ROQ6tYVPaZytVY
 mgw5baeFVmFjT8kHHGZM+eOA9NQc3DU2eQvBEC5NrG6Qfr73oLQg4ppzFSla4YbqfhwS
 GIFPahotDgXGq2XcA1aLeeokvXvsHavZXhRmemY5eNZ9uix43neReXhGbCuRHasIkipS
 Xc4UXj7Miyj/SqezInZtJHkHwtPFwTT52EKSyqu+Tb9DqDJZV/pb4LDdJ0Pqj1+SSwNC
 lBxT9xtvzjVqaXaK0Ait0tyozQgjmZ9MGKsHuVn4h/g9F6xQNpNK9ANGsAD6i0Seazk6
 up0Q==
X-Gm-Message-State: AO0yUKX/go/gVcw5H8cEhtH8zl032J76ml2SFwVh+cZ0l1n7MilrlWsy
 SbvCqEdE2ZOf1wPRpJcI+dsZIfWZLn3dENvuasUr5k7+7UZkPTNetFvJJkEhObYAkHSpWux/Guj
 7GKHKovpz40rC0EaxnBZ6RoSrEw4vxkZ4neW+FnIFWPXkrX0dVX4+QeEudPheDi0y49+VAQ==
X-Received: by 2002:a92:600b:0:b0:313:d5fb:25f9 with SMTP id
 u11-20020a92600b000000b00313d5fb25f9mr727247ilb.29.1675697806540;
 Mon, 06 Feb 2023 07:36:46 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set+YlhEcL17KjJ+JCgo1Y2XQeaJRfwLHzqBnLvtsI8/ydDoyO35kHI1DbUH5PMKyuOjsnl6uhA==
X-Received: by 2002:a92:600b:0:b0:313:d5fb:25f9 with SMTP id
 u11-20020a92600b000000b00313d5fb25f9mr727230ilb.29.1675697806273;
 Mon, 06 Feb 2023 07:36:46 -0800 (PST)
Received: from localhost.localdomain (192-0-145-146.cpe.teksavvy.com.
 [192.0.145.146]) by smtp.gmail.com with ESMTPSA id
 e95-20020a028668000000b003a60e059970sm3648181jai.84.2023.02.06.07.36.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 06 Feb 2023 07:36:45 -0800 (PST)
To: libc-alpha@sourceware.org,
	siddhesh@redhat.com
Cc: Carlos O'Donell <carlos@redhat.com>
Subject: [PATCH] NEWS: Document CVE-2023-25139.
Date: Mon,  6 Feb 2023 10:36:32 -0500
Message-Id: <20230206153632.2737139-1-carlos@redhat.com>
X-Mailer: git-send-email 2.39.1
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-Spam-Status: No, score=-12.4 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0,
 RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_NONE,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-Patchwork-Original-From: Carlos O'Donell via Libc-alpha
 <libc-alpha@sourceware.org>
From: Carlos O'Donell <carlos@redhat.com>
Reply-To: Carlos O'Donell <carlos@redhat.com>
Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org
Sender: "Libc-alpha"
 <libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org>

---
 NEWS | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

diff --git a/NEWS b/NEWS
index b227e72c9c..a7979a9cd3 100644
--- a/NEWS
+++ b/NEWS
@@ -21,7 +21,12 @@ Changes to build and runtime requirements:
 
 Security related changes:
 
-  [Add security related changes here]
+  CVE-2023-25139: When the printf family of functions is called with a
+  format specifier that uses an <apostrophe> (enable grouping) and a
+  minimum width specifier, the resulting output could be larger than
+  reasonably expected by a caller that computed a tight bound on the
+  buffer size.  The resulting larger than expected output could result
+  in a buffer overflow in the printf family of functions.
 
 The following bugs are resolved with this release: