CVE-2023-49287: 
Linux Debian vulnerability analysis and mitigation

TinyDir, a lightweight C directory and file reader, was found to contain buffer overflow vulnerabilities in the tinydir_file_open() function. The vulnerability, identified as CVE-2023-49287, affects versions 1.2.5 and earlier, and was discovered by Marco Ivaldi on December 4, 2023. The issue has been patched in version 1.2.6 (GitHub Advisory).

The vulnerability involves multiple buffer overflow issues in the tinydir_file_open() function. Three specific vulnerabilities were identified: a potential buffer overflow due to insecure splitpath API, a stack buffer overflow when concatenating file name and extension, and another stack buffer overflow when copying path to file_name_buf. The severity is rated as High with a CVSS v3.1 score of 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). The vulnerability is classified under CWE-120 (Buffer Copy without Checking Size of Input) and CWE-121 (Stack-based Buffer Overflow) (NVD, GitHub Advisory).

If the input crosses a security boundary, the buffer overflow vulnerabilities could lead to consequences ranging from denial of service to arbitrary code execution. The CVSS scoring indicates high impact on both integrity and availability of the system, though no direct impact on confidentiality (GitHub Advisory).

Users should upgrade to TinyDir version 1.2.6 which contains the fix for these buffer overflow vulnerabilities. The patch was released on December 3, 2023 (GitHub Release).