Bug#1059259: lwip: CVE-2023-49287
Control: severity -1 wishlist Hello, Moritz Mühlenhoff, le ven. 22 déc. 2023 10:03:28 +0100, a ecrit: > CVE-2023-49287[0]: > | TinyDir is a lightweight C directory and file reader. Buffer > | overflows in the `tinydir_file_open()` function. This vulnerability > | has been patched in version 1.2.6. > > https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf > https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d > https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt > > falcosecurity-libs embeds a copy of tinydir, if it's not used to > open files from potentially untrusted paths, feel free to downgrade. The tinydir_file_open function is not used at all indeed. (and we don't ship the only lwip app that includes tinydir.h anyway) Samuel
Processed: Re: Bug#1059259: lwip: CVE-2023-49287
Processing control commands: > severity -1 wishlist Bug #1059259 [src:lwip] lwip: CVE-2023-49287 Severity set to 'wishlist' from 'grave' -- 1059259: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059259 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1059259: lwip: CVE-2023-49287
Source: lwip X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for lwip. CVE-2023-49287[0]: | TinyDir is a lightweight C directory and file reader. Buffer | overflows in the `tinydir_file_open()` function. This vulnerability | has been patched in version 1.2.6. https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt falcosecurity-libs embeds a copy of tinydir, if it's not used to open files from potentially untrusted paths, feel free to downgrade. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49287 https://www.cve.org/CVERecord?id=CVE-2023-49287 Please adjust the affected versions in the BTS as needed.
