Bug#1033202: liblouis: CVE-2023-26767 CVE-2023-26768 CVE-2023-26769
Samuel Thibault
sthibault at debian.org
Sun Mar 19 16:27:39 GMT 2023
Control: severity -1 normal
Hello,
I don't think any of these is an actual security issue.
Salvatore Bonaccorso, le dim. 19 mars 2023 17:09:09 +0100, a ecrit:
> The following vulnerabilities were published for liblouis.
>
> CVE-2023-26767[0]:
> | Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a
> | remote attacker to cause a denial of service via the lou_logFile
> | function at logginc.c endpoint.
lou_logFile is not the kind of thing that is supposed to be usable
by attackers. If it was it would be *way* more serious than a buffer
overflow is.
> CVE-2023-26768[1]:
> | Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a
> | remote attacker to cause a denial of service via the
> | compileTranslationTable.c and lou_setDataPath functions.
It is the user that is in control of loading the translation table. The
content of the table *has* to be under the control of the user. If an
attacker was able to change the able, it would be *way* more problematic
than just buffer overflows.
> CVE-2023-26769[2]:
> | Buffer Overflow vulnerability found in Liblouis Lou_Trace v.3.24.0
> | allows a remote attacker to cause a denial of service via the
> | resolveSubtable function at compileTranslationTabel.c.
lou_trace is a debugging tool.
Samuel
More information about the Pkg-a11y-devel
mailing list