#1070393 gobgp: CVE-2023-46565

Package:
src:gobgp
Source:
src:gobgp
Submitter:
Moritz Mühlenhoff
Date:
2026-06-04 13:25:02 UTC
Severity:
normal
Tags:
#1070393#5
Date:
2024-05-04 18:37:38 UTC
From:
To:
Hi,

The following vulnerability was published for gobgp.

CVE-2023-46565[0]:
| Buffer Overflow vulnerability in osrg gobgp commit
| 419c50dfac578daa4d11256904d0dc182f1a9b22 allows a remote attacker to
| cause a denial of service via the handlingError function in
| pkg/server/fsm.go.

https://github.com/osrg/gobgp/issues/2725


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-46565
https://www.cve.org/CVERecord?id=CVE-2023-46565

Please adjust the affected versions in the BTS as needed.
#1070393#14
Date:
2025-04-05 14:23:26 UTC
From:
To:
  It is claimed that this was fixed in the 3.20.0 release[0,1,2] (or
maybe 3.21.0[3]), which would have been fixed in Debian with the
3.21.0-1 upload.

  However, the upstream bug report[4] is still open, and I don't see
anything in the commit or release notes indicating a fix for this
issue. Since the original report depends on a fuzzing setup, I haven't
been able to try reproducing the issue locally.

Mathias

[0] -- https://github.com/golang/vulndb/issues/3124
[1] -- https://github.com/osrg/gobgp/commit/419c50dfac578daa4d11256904d0dc182f1a9b22
[2] -- https://github.com/osrg/gobgp/releases/tag/v3.20.0
[3] -- https://github.com/advisories/GHSA-6rqv-5cg7-m4x3
[4] -- https://github.com/osrg/gobgp/issues/2725
#1070393#19
Date:
2025-04-05 15:04:57 UTC
From:
To:
Hi Matthias,

I'm not sure. Note that [1] is not potentially not considered the
fixing commit, so [0,1,2] in my undestanding refers to where the issue
is present. The original description did read:

| Buffer Overflow vulnerability in osrg gobgp commit
| 419c50dfac578daa4d11256904d0dc182f1a9b22 allows a remote attacker to
| cause a denial of service via the handlingError function in
| pkg/server/fsm.go.

this seems to be inline with the GHSA-6rqv-5cg7-m4x3 which say
that the <= 3.20.0, but no patched version.

But the information is quite confusing about the issue. Given
https://github.com/osrg/gobgp/issues/2725 yes open, might it be worth
reaching out to upstream?

Regards,
Salvatore
#1070393#26
Date:
2026-04-05 16:28:13 UTC
From:
To:
control: fixed -1 gobgp/4.3.0-1

  Got the following response from upstream:

  So in Debian it would have been fixed with the upload of 4.3.0-1.

Mathias
#1070393#33
Date:
2026-06-04 13:22:20 UTC
From:
To:
Closing fixed bug.