On Wed, 25 Jan 2023 12:06:50 -0700, Todd C. Miller wrote:
> CVSROOT: /cvs
> Module name: src
> Changes by: mill...@cvs.openbsd.org 2023/01/25 12:06:50
>
> Modified files:
> usr.bin/pkg-config/OpenBSD: PkgConfig.pm
>
> Log message:
> Fix CVE-2023-24056, unbounded variable expansion in pkg-config.
> We now die with an error when trying to expand a variable that is
> already longer than 64K. This was never a buffer overflow in our
> pkg-config, but rather an unbounded memory allocation that would
> eventually run up against resource limits. OK sthen@ jasper@
To avoid confusion on the matter, the CVE listed is for the C version
of pkg-config, not our Perl version. This is not a security issue
on OpenBSD because:
1) there is no buffer overflow in our perl version
2) only root can install .pc files anyway
However, it still makes sense to limit the amount of variable
expansion to avoid using excessive memory. The 64K limit was chosen
to be compatible with the C version.
- todd
