DEBIAN-CVE-2023-4039

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2023-4039

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-4039.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-4039

Upstream

CVE-2023-4039

Published

2023-09-13T09:15:15Z

Modified

2025-09-25T23:29:48.302471Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

References

https://security-tracker.debian.org/tracker/CVE-2023-4039

Affected packages

Debian:11

gcc-10

Package

Name: gcc-10
Purl: pkg:deb/debian/gcc-10?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

10.*

10.2.1-6

10.2.1-6+hurd.1

10.2.1-16

10.2.1-17

10.2.1-18

10.2.1-19

10.2.1-20

10.2.1-21

10.2.1-23

10.2.1-24

10.3.0-1

10.3.0-2

10.3.0-3

10.3.0-4

10.3.0-5

10.3.0-6

10.3.0-7

10.3.0-8

10.3.0-9

10.3.0-10

10.3.0-11

10.3.0-12

10.3.0-13

10.3.0-14

10.3.0-15

10.3.0-16

10.4.0-1

10.4.0-2

10.4.0-3

10.4.0-4

10.4.0-5

10.4.0-6

10.4.0-7

10.4.0-8

10.4.0-9

10.5.0-1

10.5.0-2

10.5.0-3

10.5.0-4

Ecosystem specific

{
    "urgency": "unimportant"
}

gcc-9

Package

Name: gcc-9
Purl: pkg:deb/debian/gcc-9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.3.0-22

9.3.0-23

9.3.0-24

9.3.0-25

9.3.0-26

9.4.0-1

9.4.0-2

9.4.0-3

9.4.0-4

9.4.0-5

9.5.0-1

9.5.0-2

9.5.0-3

9.5.0-4

9.5.0-5

9.5.0-6

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12

gcc-11

Package

Name: gcc-11
Purl: pkg:deb/debian/gcc-11?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

11.*

11.3.0-12

11.3.0-13

11.3.0-14

11.3.0-15

11.4.0-1

11.4.0-2

11.4.0-3

11.4.0-4

11.4.0-5

11.4.0-6

11.4.0-7

11.4.0-8

11.4.0-9

11.4.0-10

11.5.0-1

11.5.0-2

11.5.0-3

11.5.0-4

11.5.0-5

11.5.0-6

11.5.0-7

Ecosystem specific

{
    "urgency": "unimportant"
}

gcc-12

Package

Name: gcc-12
Purl: pkg:deb/debian/gcc-12?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.2.0-14+deb12u1

Affected versions

12.*

12.2.0-14

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13

gcc-12

Package

Name: gcc-12
Purl: pkg:deb/debian/gcc-12?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.3.0-9

Ecosystem specific

{
    "urgency": "unimportant"
}

gcc-13

Package

Name: gcc-13
Purl: pkg:deb/debian/gcc-13?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

13.2.0-4

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:14

gcc-12

Package

Name: gcc-12
Purl: pkg:deb/debian/gcc-12?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.3.0-9

Ecosystem specific

{
    "urgency": "unimportant"
}

gcc-13

Package

Name: gcc-13
Purl: pkg:deb/debian/gcc-13?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

13.2.0-4

Ecosystem specific

{
    "urgency": "unimportant"
}