Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 542264 (CVE-2015-2675) - <net-libs/rest-0.7.92-r2: memory corruption when using oauth because of implicit declaration of rest_proxy_call_get_url
Summary: <net-libs/rest-0.7.92-r2: memory corruption when using oauth because of impli...
Status: RESOLVED FIXED
Alias: CVE-2015-2675
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: gnome-3.14-stable
Blocks:
  Show dependency tree
 
Reported: 2015-03-05 15:42 UTC by Agostino Sarubbo
Modified: 2016-11-30 03:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-05 15:42:42 UTC
From ${URL} :

It was reported [1] that the OAuth implementation in librest, a helper library for RESTful services 
part of the GNOME project, incorrectly truncates the pointer returned by the 
rest_proxy_call_get_url function call, leading to an application crash, or worse.

Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=742644
Commit: https://git.gnome.org/browse/librest/commit/?id=b50ace7738ea038

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1183982


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-03-05 18:21:05 UTC
Thanks, fixed.

+*rest-0.7.92-r2 (05 Mar 2015)
+
+  05 Mar 2015; Alexandre Rostovtsev <tetromino@gentoo.org> -rest-0.7.91.ebuild,
+  +rest-0.7.92-r2.ebuild, +files/rest-0.7.92-oauth-missing-include.patch,
+  +files/rest-0.7.92-tests-GError-pointers.patch,
+  +files/rest-0.7.92-xml-parser-missing-break.patch:
+  Fix potentially exploitable memory corruption (bug #542264, thanks to
+  Agostino Sarubbo). Punt old.

Note to arch teams: you will first need to stabilize =net-libs/libsoup-gnome-2.46.0-r1 due to multilib deps.
Comment 2 Pacho Ramos gentoo-dev 2016-04-02 12:18:42 UTC
the fixed version is in stable for some time
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 18:48:17 UTC
Like already said package is already stable. No vulnerable version left in repository.


@ Security: Please vote!
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-11-30 03:44:40 UTC
GLSA Vote: No