• shadowintheday2@lemmy.world
    link
    fedilink
    English
    arrow-up
    60
    arrow-down
    1
    ·
    1 year ago

    "A qsort vulnerability is due to a missing bounds check and can lead to memory corruption. It has been present in all versions of glibc since 1992. "

    This one amazes me. Imagine how many vulnerabilities future researchers will discover in ancient software that persisted/persist for decades.

    • xlash123@sh.itjust.works
      link
      fedilink
      arrow-up
      22
      arrow-down
      1
      ·
      1 year ago

      C is just crazy. You accidentally forget to put the bounds in a sorting function, and now you are root.

    • kaputt@sh.itjust.works
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      According to the link in the article, the qsort() bug can only be triggered with a non-transitive cmp() function. Would such a cmp function ever be useful?

      • Giooschi@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        You don’t necessarily have to write a non-transitive cmp() function willingly, it may happen that you write one without realizing due to some edge cases where it’s not transitive.

  • Atemu@lemmy.ml
    link
    fedilink
    arrow-up
    28
    arrow-down
    4
    ·
    1 year ago

    Security-critical C and memory safety bugs. Name a more iconic duo…

    I’d have kinda preferred for public disclosure to have happened after the fix propagated to distros. Now we get to hurry the patch to end-users which isn’t always easily possible. Could we at least have a coordinated disclosure time each month? That’d be great.

  • tsonfeir@lemm.ee
    link
    fedilink
    arrow-up
    15
    arrow-down
    1
    ·
    1 year ago

    Debian (versions 12 and 13), Ubuntu (23.04 and 23.10), and Fedora (37 to 39). Other distributions are probably also impacted.

  • gayhitler420@lemm.ee
    link
    fedilink
    arrow-up
    7
    ·
    edit-2
    1 year ago

    I replied to another comment with this, but Debian 12(stable, bookworm) and 13(testing, trixie) are affected by this but 12(stable, bookworm) has a patch out in the security repo.

    If you wanna know wether or not you’re affected,

    apt list libc

    will show your version and the one you want is 2.36-9+deb12u4

    If you don’t have that,

    apt update && apt upgrade

    will straighten you out

    13(testing, trixie) has 2.37, but it’s not fixed yet.

    E: Edited to use apt list instead of apt show.