procps: CVE-2023-4016 ps buffer overflow

Debian Bug report logs - #1042887
procps: CVE-2023-4016 ps buffer overflow

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Craig Small <csmall@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: procps: CVE-2023-4016 ps buffer overflow

Date: Wed, 02 Aug 2023 21:52:41 +1000

Package: procps
Version: 2:4.0.3-1
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>

We have a very scant report of a ps buffer overflow security bug.

Under some circumstances, this weakness allows a user who has access to run the “ps” utility on a machine, the ability to write almost unlimited amounts of unfiltered data into the process heap.

We don't know the versions impacted, we don't know how to cause it. We
have that single sentence. Once (any) details are given we will update
this bug and the gitlab issue.

I made the severity important because I'm not even sure its a real bug
yet.

References:
 https://nvd.nist.gov/vuln/detail/CVE-2023-4016
 https://gitlab.com/procps-ng/procps/-/issues/297



-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-10-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages procps depends on:
ii  init-system-helpers  1.65.2
ii  libc6                2.36-9+deb12u1
ii  libncursesw6         6.4-4
ii  libproc2-0           2:4.0.3-1
ii  libtinfo6            6.4-4

Versions of packages procps recommends:
ii  psmisc  23.6-1

procps suggests no packages.

-- no debconf information

Send a report that this bug log contains spam.