Bug 2123394 (CVE-2022-39046)

Summary: CVE-2022-39046 glibc: a crafted input may allow information disclosure
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aoliva, arjun, ashankar, codonell, dj, fweimer, glibc-bugzilla, law, mcermak, mcoufal, mfabian, mnewsome, nalin, pfrankli, rth, sentrycraft123, sipoyare, skolosov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glibc 2.37 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the glibc package. If the Syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-23 14:41:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2123395, 2123396    
Bug Blocks: 2123398    

Description Marian Rehak 2022-09-01 14:41:12 UTC 
When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.

Reference:

https://sourceware.org/bugzilla/show_bug.cgi?id=29536
Comment 1 Marian Rehak 2022-09-01 14:41:34 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 2123395]


Created zig tracking bugs for this issue:

Affects: fedora-all [bug 2123396]