CVE-2023-52389

CVE-2023-52389

Name

CVE-2023-52389

Description

UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer overflow and resultant stack buffer overflow because Poco::UTF32Encoding::convert() and Poco::UTF32::queryConvert() may return a negative integer if a UTF-32 byte sequence evaluates to a value of 0x80000000 or higher. This is fixed in 1.11.8p2, 1.12.5p2, and 1.13.0.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
cve@mitre.org	https://github.com/pocoproject/poco/compare/poco-1.12.5p2-release...poco-1.13.0-release
cve@mitre.org	https://github.com/pocoproject/poco/issues/4320
cve@mitre.org	https://pocoproject.org/blog/?p=1226
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2025/01/msg00017.html

Type

URI

cve@mitre.org

https://github.com/pocoproject/poco/compare/poco-1.12.5p2-release...poco-1.13.0-release

cve@mitre.org

https://github.com/pocoproject/poco/issues/4320

cve@mitre.org

https://pocoproject.org/blog/?p=1226

af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2025/01/msg00017.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:pocoproject:poco::::::::`	poco	>= None	< 1.11.8
`cpe:2.3:a:pocoproject:poco::::::::`	poco	>= 1.12.0	< 1.12.5
`cpe:2.3:a:pocoproject:poco:1.12.5:-::::::`	poco	== None	== 1.12.5

CPE URI

Source package

Min version

Max version

cpe:2.3:a:pocoproject:poco:*:*:*:*:*:*:*:*

poco

>= None

< 1.11.8

cpe:2.3:a:pocoproject:poco:*:*:*:*:*:*:*:*

poco

>= 1.12.0

< 1.12.5

cpe:2.3:a:pocoproject:poco:1.12.5:-:*:*:*:*:*:*

poco

== None

== 1.12.5

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
poco	edge-community	1.12.4-r0	Bart Ribbers <bribbers@disroot.org>	possibly vulnerable
poco	3.22-community	1.12.4-r0	Bart Ribbers <bribbers@disroot.org>	possibly vulnerable
poco	3.20-community	1.12.4-r0	Bart Ribbers <bribbers@disroot.org>	possibly vulnerable
poco	3.19-community	1.12.4-r0	Bart Ribbers <bribbers@disroot.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

poco

edge-community

1.12.4-r0

Bart Ribbers <bribbers@disroot.org>

possibly vulnerable

poco

3.22-community