CVE-2023-22652

Name	CVE-2023-22652
Description	A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in openSUSE libeconf leads to DoS via malformed config files. This issue affects libeconf: before 0.5.2.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4164-1
Debian Bugs	1037333

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libeconf (PTS)	bullseye	0.3.8-1	vulnerable
	bullseye (security)	0.3.8-1+deb11u1	fixed
	bookworm	0.5.1+dfsg1-1+deb12u1	fixed
	sid, trixie	0.7.7+dfsg1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
libeconf	source	bullseye	0.3.8-1+deb11u1	DLA-4164-1
libeconf	source	bookworm	0.5.1+dfsg1-1+deb12u1
libeconf	source	(unstable)	0.5.2+dfsg1-1		1037333

Notes

https://github.com/openSUSE/libeconf/issues/177
https://github.com/openSUSE/libeconf/commit/8d086dfc69d4299e55e4844e3573b3a4cf420f19 (v0.5.2)
Patch overlaps with patch for CVE-2023-32181.