CVE-2023-34095: 
Linux Debian vulnerability analysis and mitigation

CVE-2023-34095 affects cpdb-libs, a library providing frontend and backend functionality for the Common Printing Dialog Backends (CPDB) project. The vulnerability was discovered in June 2023 and affects versions 1.0 through 2.0b4. The vulnerability stems from improper use of scanf(3) functions in parsing command lines and configuration files (GitHub Advisory, NVD).

The vulnerability arises from the use of fscanf() and scanf() functions to parse command lines and configuration files, where string components are read into fixed-length buffers of 1024 characters. The functions are called without limiting the length of strings to be read, which can cause buffer overflows when input strings exceed 1023 characters. The issue affects multiple code locations, including cpdb-frontend.c and cpdb-text-frontend.c. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to buffer overflows, potentially allowing attackers to crash the application or execute arbitrary code. This poses a significant security risk as it could enable unauthorized access to the system running the affected software (GitHub Advisory).

A patch has been released that limits the maximum string length to be read to 1023 characters by replacing all occurrences of %s with %1023s in all calls of the fscanf() and scanf() functions. The fix is available in commit f181bd1f14757c2ae0f17cc76dc20421a40f30b7 and version 2.0b6. Users are advised to upgrade to the patched version (GitHub Patch).