0005-NEWS-Document-CVE-2023-25139.patch

From 6fe86ecd787a2624cd638131629ba9a824040308 Mon Sep 17 00:00:00 2001
From: Carlos O'Donell <carlos@redhat.com>
Date: Mon, 6 Feb 2023 10:36:32 -0500
Subject: [PATCH 5/8] NEWS: Document CVE-2023-25139.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 67c37737ed474d25fd4dc535dfd822c426e6b971)
---
 NEWS | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/NEWS b/NEWS
index 4da140db31..7ba8846fcc 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,15 @@ using `glibc' in the "product" field.
 
 Version 2.37.1
 
+Security related changes:
+
+  CVE-2023-25139: When the printf family of functions is called with a
+  format specifier that uses an <apostrophe> (enable grouping) and a
+  minimum width specifier, the resulting output could be larger than
+  reasonably expected by a caller that computed a tight bound on the
+  buffer size.  The resulting larger than expected output could result
+  in a buffer overflow in the printf family of functions.
+
 The following bugs are resolved with this release:
 
   [30053] time: strftime %s returns -1 after 2038 on 32 bits systems
-- 
2.25.1