PyPi: Pkgconf

CVE-2023-24056

Safety vulnerability ID: 71263

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jan 22, 2023 Updated at Jun 20, 2024

Scan your Python projects for vulnerabilities →

Advisory

Affected versions of Pkgconf are vulnerable to buffer overflow. Variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes.

Affected package

pkgconf

Latest version: 2.2.0.post0

`pkgconf` is a program which helps with discovering library dependencies and configuring compiler and linker flags.

Affected versions

Fixed versions

Vulnerability changelog

----------------------------

* Fix a buffer overflow vulnerability involving very large variable expansions.
CVE-2023-24056

* Fix a bunch of minor regressions with the solver.

* Create separate solutions for `--cflags` and `--libs` when `--static` is not
used.

* Remove final trailing whitespace in pkgconf_fragment_render_buf().

* Revert broken pkg.m4 change involving querying module versions in
PKG_CHECK_MODULES.

* Fix handling of tildes in version strings.

* Various C99 formatting string fixes involving SIZE_FMT_SPECIFIER.

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24056

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.5

CVSS v3 Details

MEDIUM 5.5

Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH