Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 314187 (CVE-2010-0743) - sys-block/iscsitarget: remotely exploitable format string vulnerabilities (CVE-2010-0743)
Summary: sys-block/iscsitarget: remotely exploitable format string vulnerabilities (CV...
Status: RESOLVED FIXED
Alias: CVE-2010-0743
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High blocker (vote)
Assignee: Gentoo Security
URL: http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard: B0 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-09 18:13 UTC by Stefan Behte (RETIRED)
Modified: 2012-01-23 12:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-04-09 18:13:34 UTC 
Patch:
http://git.kernel.org/?p=linux/kernel/git/tomo/tgt.git;a=commitdiff;h=107d922706cd36f3bb79bcca9bc4678c32f22e59

I've checked our code: iscsitarget-1.4.19 has the patch, but it's not stable yet.

@base-system: is 1.4.19 it ok to go stable?
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-11 14:02:03 UTC 
CVE-2010-0743 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0743):
  Multiple format string vulnerabilities in isns.c in (1) Linux SCSI
  target framework (aka tgt or scsi-target-utils) 1.0.3, 0.9.5, and
  earlier and (2) iSCSI Enterprise Target (aka iscsitarget) 0.4.16
  allow remote attackers to cause a denial of service (tgtd daemon
  crash) or possibly have unspecified other impact via vectors that
  involve the isns_attr_query and qry_rsp_handle functions, and are
  related to (a) client appearance and (b) client disappearance
  messages.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-06-19 16:57:04 UTC 
Arches, please test and mark stable:
=sys-block/iscsitarget-1.4.19
Target keywords : "amd64 ppc x86"
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-06-20 09:34:40 UTC 
x86 stable
Comment 4 Markus Meier gentoo-dev 2010-06-21 20:22:35 UTC 
amd64 stable
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 13:06:50 UTC 
*ping* ppc
Comment 6 Joe Jezak (RETIRED) gentoo-dev 2010-08-11 17:57:38 UTC 
Marked ppc stable, sorry about the delay.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2010-10-06 13:15:35 UTC 
GLSA request filed.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-01-23 12:19:10 UTC 
This issue was resolved and addressed in
 GLSA 201201-06 at http://security.gentoo.org/glsa/glsa-201201-06.xml
by GLSA coordinator Sean Amoss (ackle).