CVE-2023-24056

In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconftupleparse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes.

References

Affected packages

Git / github.com/pkgconf/pkgconf

Affected ranges

Type: GIT
Repo: https://github.com/pkgconf/pkgconf
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

8754bdfe0984bc29e53ee856631a42f90f789eb4

Affected versions

pkgconf-0.*

pkgconf-0.1

pkgconf-0.1.1

pkgconf-0.2

pkgconf-0.3

pkgconf-0.4

pkgconf-0.5

pkgconf-0.5.1

pkgconf-0.5.2

pkgconf-0.5.3

pkgconf-0.6

pkgconf-0.7

pkgconf-0.8

pkgconf-0.8.1

pkgconf-0.8.10

pkgconf-0.8.11

pkgconf-0.8.12

pkgconf-0.8.2

pkgconf-0.8.3

pkgconf-0.8.4

pkgconf-0.8.7

pkgconf-0.8.8

pkgconf-0.8.9

pkgconf-0.9.0

pkgconf-0.9.1

pkgconf-0.9.10

pkgconf-0.9.11

pkgconf-0.9.12

pkgconf-0.9.2

pkgconf-0.9.3

pkgconf-0.9.4

pkgconf-0.9.5

pkgconf-0.9.6

pkgconf-0.9.7

pkgconf-0.9.8

pkgconf-0.9.9

Other

pkgconf-1

pkgconf-1.*

pkgconf-1.0.1

pkgconf-1.1.0

pkgconf-1.2.0

pkgconf-1.3.0

pkgconf-1.3.1

pkgconf-1.3.2

pkgconf-1.3.3

pkgconf-1.3.4

pkgconf-1.3.5

pkgconf-1.3.6

pkgconf-1.3.7

pkgconf-1.3.90

pkgconf-1.4.0

pkgconf-1.4.1

pkgconf-1.4.2

pkgconf-1.5.1

pkgconf-1.5.2

pkgconf-1.5.3

pkgconf-1.5.4

pkgconf-1.6.0

pkgconf-1.6.1

pkgconf-1.6.2

pkgconf-1.6.3

pkgconf-1.7.0

pkgconf-1.7.1

pkgconf-1.7.2

pkgconf-1.7.3

pkgconf-1.7.4

pkgconf-1.8.0

pkgconf-1.9.0

pkgconf-1.9.1

pkgconf-1.9.2

pkgconf-1.9.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-24056.json"