CVE-2023-52159

NameCVE-2023-52159
DescriptionA stack-based buffer overflow vulnerability in gross 0.9.3 through 1.x before 1.0.4 allows remote attackers to trigger a denial of service (grossd daemon crash) or potentially execute arbitrary code in grossd via crafted SMTP transaction parameters that cause an incorrect strncat for a log entry.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3774-1
Debian Bugs1067115

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gross (PTS)bullseye1.0.2-4.1~deb11u1fixed
bookworm1.0.2-4.1~deb12u1fixed
sid, trixie1.0.2-4.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
grosssourcebuster1.0.2-4.1~deb10u1DLA-3774-1
grosssourcebullseye1.0.2-4.1~deb11u1
grosssourcebookworm1.0.2-4.1~deb12u1
grosssource(unstable)1.0.2-4.11067115

Notes

https://codeberg.org/bizdelnick/gross/commit/6403985fc1060e7aacea96e60535e1e7b0f6f193 (master)
https://codeberg.org/bizdelnick/gross/commit/3f5508cce2c49d216b163eb7b38ea72d5162c76e (1.0.4)
https://codeberg.org/bizdelnick/gross/wiki/Known-vulnerabilities#cve-2023-52159

Search for package or bug name: Reporting problems