CVE-2022-39046: 
NixOS vulnerability analysis and mitigation

An issue was discovered in the GNU C Library (glibc) 2.36 where the syslog function, when passed a crafted input string larger than 1024 bytes, reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap. The vulnerability was introduced in August 2022 and was assigned CVE-2022-39046. This vulnerability affects multiple distributions including Debian 12 and 13, Ubuntu 23.04 and 23.10, and Fedora 37 to 39 (Debian Tracker, Ubuntu Security).

The vulnerability exists in the vsyslog_internal() function, which is called by both syslog() and vsyslog(). When a string larger than 1024 bytes is passed, the function fails to handle the heap allocation correctly. The issue occurs because when the input exceeds the static buffer size (1024 bytes), the code skips the proper buffer allocation logic, resulting in a 1-byte buffer being allocated instead. This leads to a buffer overflow condition when writing the attacker-controlled progname and subsequent data (Sourceware Bugzilla).

The vulnerability could lead to disclosure of sensitive information through the exposure of heap memory contents. When exploited, it could potentially reveal portions of the heap memory in the target log file. In certain configurations, this could be leveraged for local privilege escalation, allowing an unprivileged user to gain root access (Red Hat CVE).

The vulnerability has been fixed in glibc 2.37 and backported to version 2.36. Users should upgrade to the patched versions available through their distribution's security updates. For example, Gentoo users should upgrade to glibc-2.37-r7 or later, while other distributions have their respective security updates (Gentoo Security).