- "A qsort vulnerability is due to a missing bounds check and can lead to memory corruption. It has been present in all versions of glibc since 1992. " - This one amazes me. Imagine how many vulnerabilities future researchers will discover in ancient software that persisted/persist for decades. - C is just crazy. You accidentally forget to put the bounds in a sorting function, and now you are root. 
- According to the link in the article, the qsort() bug can only be triggered with a non-transitive cmp() function. Would such a cmp function ever be useful? - You don’t necessarily have to write a non-transitive cmp() function willingly, it may happen that you write one without realizing due to some edge cases where it’s not transitive. 
 
 
- Security-critical C and memory safety bugs. Name a more iconic duo… - I’d have kinda preferred for public disclosure to have happened after the fix propagated to distros. Now we get to hurry the patch to end-users which isn’t always easily possible. Could we at least have a coordinated disclosure time each month? That’d be great. 
- Debian (versions 12 and 13), Ubuntu (23.04 and 23.10), and Fedora (37 to 39). Other distributions are probably also impacted. - https://security-tracker.debian.org/tracker/CVE-2023-6246 - Don’t know if Fedora has any similar easy way of tracking vulnerabilities 
- 12 and 13 have patches out in the security repo. Apt update && apt upgrade fixed it right up. 
 
- That’s why you need to rock and roll - (Arch btw.) - Try having - unattended-upgradeswith a rolling distro.- I don’t want unattended upgrades >:/ - Just don’t upgrade for a while and you become debian - It’s not like windows forcing you to reboot every Tuesday so Edge can come back - you shouldn’t be throwing boots through your windows 
 
 
 
 
- I replied to another comment with this, but Debian 12(stable, bookworm) and 13(testing, trixie) are affected by this but 12(stable, bookworm) has a patch out in the security repo. - If you wanna know wether or not you’re affected, - apt list libc - will show your version and the one you want is 2.36-9+deb12u4 - If you don’t have that, - apt update && apt upgrade - will straighten you out - 13(testing, trixie) has 2.37, but it’s not fixed yet. - E: Edited to use apt list instead of apt show. 
- Local attacker - Important detail - as i said on reddit 
- Glad I only run Alpine 
- “GNU Library C?” - GNU C Library(glibc) as apposed to C Library (libc). - Who calls it “GNU Library C” though? 
 
 







