CVE-2023-24056

CVE-2023-24056

Name

CVE-2023-24056

Description

In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059
MISC	https://github.com/pkgconf/pkgconf/tags
MISC	https://nullprogram.com/blog/2023/01/18/

Type

URI

MISC

https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059

MISC

https://github.com/pkgconf/pkgconf/tags

MISC

https://nullprogram.com/blog/2023/01/18/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:pkgconf:pkgconf::::::::`	pkgconf	>= None	<= 1.9.3

CPE URI

Source package

Min version

Max version

cpe:2.3:a:pkgconf:pkgconf:*:*:*:*:*:*:*:*

pkgconf

>= None

<= 1.9.3

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
pkgconf	3.17-main	1.9.4-r0	Ariadne Conill <ariadne@dereferenced.org>	fixed
pkgconf	3.16-main	1.8.1-r0	Ariadne Conill <ariadne@dereferenced.org>	fixed
pkgconf	3.15-main	1.8.1-r0	Ariadne Conill <ariadne@dereferenced.org>	fixed
pkgconf	3.14-main	1.7.4-r1	Ariadne Conill <ariadne@dereferenced.org>	fixed

Source package

Branch

Version

Maintainer

Status

pkgconf

3.17-main

1.9.4-r0

Ariadne Conill <ariadne@dereferenced.org>

fixed

pkgconf

3.16-main