Buffer Overflow in GNU C Library Affects Older Versions
Date: April 17, 2024
CVE: CVE-2024-2961
Vulnerability Type: Out-of-bounds Write
CWE: [[CWE-787]]
Sources: SecurityVulnerability.io, NVD Mitigation blog
Issue Summary
A critical buffer overflow vulnerability has been identified in the GNU C Library's iconv function when converting charsets to certain Chinese Extended encodings. This flaw occurs when converting strings to the ISO-2022-CN-EXT character set in versions prior to 2.40, potentially leading to application crashes or memory corruption.
Technical Key Findings
The vulnerability stems from improper boundary checks during character set conversion, allowing up to 4 bytes of overflow. This could enable attackers to execute arbitrary code or disrupt program operation by manipulating memory locations adjacent to the buffer.
Vulnerable Products
All versions of GNU C Library older than 2.40 are susceptible. (That's potentially 24 years of a buffer overflow presence in the glibc!)
Impact Assessment
The vulnerability poses a high risk, potentially affecting the confidentiality, integrity, and availability of systems utilizing the affected library versions. There is no evidence of active exploitation yet, but the severity of potential impacts warrants prompt attention.
Patches or Workaround
The GNU C Library has released patches for this vulnerability. Users are advised to update to version 2.40 or later. If you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in gconv.
Check if you are vulnerable
// The first line of the linker version info should include the version of glibc (either as GLIBC or GNU libc).
ldd --version
// Check if the vulnerable encodings are enabled in iconv:
iconv -l | grep -E 'CN-?EXT'
If they are, you will see an output like:
ISO-2022-CN-EXT//
ISO2022CNEXT//
Tags
#GNUCLibrary #CVE-2024-2961 #BufferOverflow #SecurityPatch #ISO2022CNEXT #CVE20242961 #iconv #iconvglibc
Fossery Tech 
Boud
🛡 
​
FOSSlife