CVE-2025-0395: 
Rocky Linux vulnerability analysis and mitigation

A buffer overflow vulnerability (CVE-2025-0395) was discovered in the GNU C Library (glibc) versions 2.13 to 2.40. The vulnerability exists in the assert() function implementation, where it fails to allocate sufficient space for the assertion failure message string and size information. This vulnerability was discovered by Qualys Security Advisory team and publicly disclosed on January 22, 2025 (GLIBC Advisory, OSS Security).

The vulnerability stems from an implementation flaw in the assert() function where the allocation for abort_msg_s structure does not account for the integer in the struct that stores the message length. When the assertion failure message string size aligns with the page size, it can lead to a buffer overflow of up to four bytes (sizeof unsigned int). The issue was introduced in 2011 by commit f8a3b5b. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The impact of this vulnerability is primarily limited to local attacks. It can only be exploited if a setuid program contains a reachable assertion failure. While no such vulnerable setuid programs were identified at the time of disclosure, the potential risk exists particularly in environments with custom setuid programs. The buffer overflow is mmap-based and limited to a maximum of four bytes, with the attacker unable to control the overflowing bytes (GLIBC Advisory).

The vulnerability has been patched in multiple versions of the GNU C Library. Fixes have been backported to versions 2.34 through 2.41. The fix includes proper allocation of space for the message length storage in the abort_msg_s structure. Users are advised to update their systems to the patched versions. The fix was committed and backported on January 22, 2025 (Bugzilla).