Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20231005012718.GA2484@openwall.com>
Date: Thu, 5 Oct 2023 03:27:18 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so

On Tue, Oct 03, 2023 at 05:50:36PM +0000, Qualys Security Advisory wrote:
> We successfully exploited this vulnerability and obtained full root
> privileges on the default installations of Fedora 37 and 38, Ubuntu
> 22.04 and 23.04, Debian 12 and 13; other distributions are probably also
> vulnerable and exploitable (one notable exception is Alpine Linux, which
> uses musl libc, not the glibc). We will not publish our exploit for now;
> however, this buffer overflow is easily exploitable (by transforming it
> into a data-only attack), and other researchers might publish working
> exploits shortly after this coordinated disclosure.

And they did, here are a couple:

https://github.com/leesh3288/CVE-2023-4911
https://github.com/RickdeJager/CVE-2023-4911

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.