NEWS: Document CVE-2023-25139.

author Carlos O'Donell <carlos@redhat.com>

Mon, 6 Feb 2023 15:36:32 +0000 (10:36 -0500)

committer Carlos O'Donell <carlos@redhat.com>

Tue, 7 Feb 2023 23:24:41 +0000 (18:24 -0500)
author Carlos O'Donell <carlos@redhat.com>
Mon, 6 Feb 2023 15:36:32 +0000 (10:36 -0500)
committer Carlos O'Donell <carlos@redhat.com>
Tue, 7 Feb 2023 23:24:41 +0000 (18:24 -0500)
diff --git a/NEWS b/NEWS

index 4da140db31e70c1ee6af4e30602ef0c977c0f4ca..7ba8846fcca92353c3578b3607de9da2a86c7209 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,15 @@ using `glibc' in the "product" field.
  \f
  Version 2.37.1
  
+Security related changes:
+
+  CVE-2023-25139: When the printf family of functions is called with a
+  format specifier that uses an <apostrophe> (enable grouping) and a
+  minimum width specifier, the resulting output could be larger than
+  reasonably expected by a caller that computed a tight bound on the
+  buffer size.  The resulting larger than expected output could result
+  in a buffer overflow in the printf family of functions.
+
  The following bugs are resolved with this release:
  
    [30053] time: strftime %s returns -1 after 2038 on 32 bits systems
author	Carlos O'Donell <carlos@redhat.com>
	Mon, 6 Feb 2023 15:36:32 +0000 (10:36 -0500)
committer	Carlos O'Donell <carlos@redhat.com>
	Tue, 7 Feb 2023 23:24:41 +0000 (18:24 -0500)