Qualys found a heap overflow in the GNU C library _vsyslog_internal(), which is called by both syslog() and vsyslog() that was introduced in glibc 2.37 (in Aug 2022) which was also backported to glibc 2.36.
Qualys reported that they were able to exploit current major Linux distributions:
*** *******, ** ********* **** ****** 12 *** **, ****** **.** *** 23.10, *** ****** ** ** ** are ********** ** **** ****** ********. Furthermore, ** ************ ********* ** **-**-****, default ************ ** ****** ** (** amd64): * ***** ********* **********, **** any ************ **** ** **** ****. Other ************* *** ******** **** ***********.
**** *********** **** ****, ********* *****-**-*******, ***** **** **** ***** *** vulnerability **** ****** *** *** ** triggered ******** ***** *** ******* ********* for ********** **** ************* *** **** be ******** ***** ****[*].
** *** **** ** *** *********, this ************* ****** ** ********* ******** in *** ****** ******** (******* ** requires ** ****[*], ** ** *******() ident ********, ****** **** **** ***** to ** *********).
****[*] ** ***** *** ******* **** is ******; *******, **** ****** ** changed. *** **** * ****** *****, Qualys *********** **** **** ** ****** the ******* **** ** ****[*] *** trigger *** ************* **** *** ********* proof-of-concept:
********: ************ ***** (**** ******)
*** ************* *********** ***-****-****,**** **** ********* * **** ******** rating ** *.* (****), *********** *** ****** ** ********** ** ** * ***** *************.
** ********,****** **** ******** ***** *************** ** the *** * *******, **** ** ***-****-****, ** ***-**-*** heap-based ****** ******** ** ******************() *** CVE-2023-6780, *** ****** ********** ** *** qsort() ********.