CVE-2023-46586

NameCVE-2023-46586
Descriptioncgi.c in weborf .0.17, 0.18, 0.19, and 0.20 (before 1.0) lacks '\0' termination of the path for CGI scripts because strncpy is misused.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1054417

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
weborf (PTS)bullseye0.17-3+deb11u1fixed
bookworm0.19-2.1+deb12u1fixed
sid, trixie1.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
weborfsourcebuster(not affected)
weborfsourcebullseye0.17-3+deb11u1
weborfsourcebookworm0.19-2.1+deb12u1
weborfsource(unstable)1.0-11054417

Notes

[buster] - weborf <not-affected> (Vulnerable code introduced later)
https://github.com/ltworf/weborf/pull/88
Fixed by: https://github.com/ltworf/weborf/commit/49824204add55aab0568d90a6b1e7c822d32120d (1.0)
Introduced by: https://github.com/ltworf/weborf/commit/6f83c3e9ceed8b0d93608fd5d42b53c081057991 (0.16)

Search for package or bug name: Reporting problems