[Bug 1223697] New: VUL-0: CVE-2023-26793: libmodbus: heap-based buffer overflow vulnerability in read_io_status function in src/modbus.c.
https://bugzilla.suse.com/show_bug.cgi?id=1223697 Bug ID: 1223697 Summary: VUL-0: CVE-2023-26793: libmodbus: heap-based buffer overflow vulnerability in read_io_status function in src/modbus.c. Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/403923/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: sbrabec@suse.com Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: andrea.mattiazzo@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- libmodbus v3.1.10 has a heap-based buffer overflow vulnerability in read_io_status function in src/modbus.c. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26793 https://www.cve.org/CVERecord?id=CVE-2023-26793 https://github.com/stephane/libmodbus/issues/683 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1223697 https://bugzilla.suse.com/show_bug.cgi?id=1223697#c1 --- Comment #1 from Andrea Mattiazzo <andrea.mattiazzo@suse.com> --- No information upstream Tracking as affected: - openSUSE:Backports:SLE-15-SP5/libmodbus 3.1.10 - openSUSE:Backports:SLE-15-SP6/libmodbus 3.1.10 - openSUSE:Factory/libmodbus 3.1.10 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1223697 Maintenance Automation <maint-coord+maintenance-robot@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1223697 https://bugzilla.suse.com/show_bug.cgi?id=1223697#c2 Stanislav Brabec <sbrabec@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED --- Comment #2 from Stanislav Brabec <sbrabec@suse.com> --- However it is more than a year old report, there is apparently no fix yet. https://nvd.nist.gov/vuln/detail/CVE-2023-26793 This vulnerability is currently awaiting analysis. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1223697 https://bugzilla.suse.com/show_bug.cgi?id=1223697#c3 --- Comment #3 from Stanislav Brabec <sbrabec@suse.com> --- Checking the upstream, there is no fix. The upstream issue has no progress. Is it serious enough to start a research? Note that we have no Modbus testing hardware. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1223697 https://bugzilla.suse.com/show_bug.cgi?id=1223697#c4 Stanislav Brabec <sbrabec@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS --- Comment #4 from Stanislav Brabec <sbrabec@suse.com> --- According to the upstream tracker, this is not a bug in the implementation but a bug in the unit test. So the buffer overflow exists only in the test, not the implementation. Let's wait for confirmation from the developer, but it seems that we can ignore that. Unit test is not part of the installed and exploitable code. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com