Bug#1059062: virtuoso-opensource: CVE-2023-48945 CVE-2023-48946 CVE-2023-48947 CVE-2023-48948 CVE-2023-48949 CVE-2023-48950 CVE-2023-48951 CVE-2023-48952

[Moritz Mühlenhoff]

Source: virtuoso-opensource
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for virtuoso-opensource.

CVE-2023-48945[0]:
| A stack overflow in openlink virtuoso-opensource v7.2.11 allows
| attackers to cause a Denial of Service (DoS) via crafted SQL
| statements.

https://github.com/openlink/virtuoso-opensource/issues/1172

CVE-2023-48946[1]:
| An issue in the box_mpy function of openlink virtuoso-opensource
| v7.2.11 allows attackers to cause a Denial of Service (DoS) after
| running a SELECT statement.

https://github.com/openlink/virtuoso-opensource/issues/1178

CVE-2023-48947[2]:
| An issue in the cha_cmp function of openlink virtuoso-opensource
| v7.2.11 allows attackers to cause a Denial of Service (DoS) after
| running a SELECT statement.

https://github.com/openlink/virtuoso-opensource/issues/1179

CVE-2023-48948[3]:
| An issue in the box_div function in openlink virtuoso-opensource
| v7.2.11 allows attackers to cause a Denial of Service (DoS) after
| running a SELECT statement.

https://github.com/openlink/virtuoso-opensource/issues/1176

CVE-2023-48949[4]:
| An issue in the box_add function in openlink virtuoso-opensource
| v7.2.11 allows attackers to cause a Denial of Service (DoS) after
| running a SELECT statement.

https://github.com/openlink/virtuoso-opensource/issues/1173

CVE-2023-48950[5]:
| An issue in the box_col_len function in openlink virtuoso-opensource
| v7.2.11 allows attackers to cause a Denial of Service (DoS) after
| running a SELECT statement.

https://github.com/openlink/virtuoso-opensource/issues/1174

CVE-2023-48951[6]:
| An issue in the box_equal function in openlink virtuoso-opensource
| v7.2.11 allows attackers to cause a Denial of Service (DoS) after
| running a SELECT statement.

https://github.com/openlink/virtuoso-opensource/issues/1177

CVE-2023-48952[7]:
| An issue in the box_deserialize_reusing function in openlink
| virtuoso-opensource v7.2.11 allows attackers to cause a Denial of
| Service (DoS) after running a SELECT statement.

https://github.com/openlink/virtuoso-opensource/issues/1175

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-48945
    https://www.cve.org/CVERecord?id=CVE-2023-48945
[1] https://security-tracker.debian.org/tracker/CVE-2023-48946
    https://www.cve.org/CVERecord?id=CVE-2023-48946
[2] https://security-tracker.debian.org/tracker/CVE-2023-48947
    https://www.cve.org/CVERecord?id=CVE-2023-48947
[3] https://security-tracker.debian.org/tracker/CVE-2023-48948
    https://www.cve.org/CVERecord?id=CVE-2023-48948
[4] https://security-tracker.debian.org/tracker/CVE-2023-48949
    https://www.cve.org/CVERecord?id=CVE-2023-48949
[5] https://security-tracker.debian.org/tracker/CVE-2023-48950
    https://www.cve.org/CVERecord?id=CVE-2023-48950
[6] https://security-tracker.debian.org/tracker/CVE-2023-48951
    https://www.cve.org/CVERecord?id=CVE-2023-48951
[7] https://security-tracker.debian.org/tracker/CVE-2023-48952
    https://www.cve.org/CVERecord?id=CVE-2023-48952

Please adjust the affected versions in the BTS as needed.