Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 180538 - sys-apps/findutils Heap overflow (CVE-2007-2452)
Summary: sys-apps/findutils Heap overflow (CVE-2007-2452)
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://lists.gnu.org/archive/html/inf...
Whiteboard: A1 [stable] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-01 11:26 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2020-03-28 23:17 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-01 11:26:44 UTC 
#20014: Findutils-4.2.31 includes a patch for a potential security
problem in locate.  When locate read an old-format database, it read
file names into a fixed-length buffer allocated on the heap without
checking for overflow.  Although overflowing a heap buffer is often
somewhat safer than overflowing a buffer on the stack, this bug still
has potential security implications.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-01 11:28:20 UTC 
Base-system please advise and patch as necessary.
Comment 2 SpanKY gentoo-dev 2007-06-01 14:16:26 UTC 
findutils-4.2.31 now in the tree
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-02 14:13:19 UTC 
Thx Vapier.

Arches please test and mark stable. Target keywords are:

findutils-4.2.31.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
Comment 4 Christoph Mende (RETIRED) gentoo-dev 2007-06-02 14:30:37 UTC 
amd64 done
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2007-06-02 14:47:19 UTC 
alpha/ia64/x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2007-06-02 14:56:11 UTC 
Stable for HPPA.
Comment 7 Luca Barbato gentoo-dev 2007-06-02 19:15:40 UTC 
Marked ppc and ppc64
Comment 8 Jonathan Smith (RETIRED) gentoo-dev 2007-06-02 19:35:56 UTC 
gentoo isn't actually affected by this issue, nor are most linux distros.

from the ebuild:
	# Don't build or install locate because it conflicts with slocate,
	# which is a secure version of locate.  See bug 18729
	sed -i '/^SUBDIRS/s/locate//' Makefile.in
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-03 06:34:32 UTC 
Thx Jonathan for clearing that up. Sorry for the noise.