Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 606448 - <net-fs/davfs-1.5.4: stack buffer overflow
Summary: <net-fs/davfs-1.5.4: stack buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://savannah.nongnu.org/forum/for...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-18 20:07 UTC by Hanno Böck
Modified: 2017-01-21 23:31 UTC (History)
1 user (show)

See Also:
Package list:
=net-fs/davfs2-1.5.4
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-01-18 20:07:53 UTC 
From upstream's changelog for 1.5.3:

"This release fixes a stack smashing error that only showed on 32-bit systems and when compiled with -fstack-protector-all."
https://savannah.nongnu.org/forum/forum.php?forum_id=8501

There are no more details, but this sounds like a security vulnerability. Given this is an implementation of a network protocol this is certainly worrying.

We already have 1.5.4 in the tree, we should stabilize it.
Comment 1 Agostino Sarubbo gentoo-dev 2017-01-19 11:26:06 UTC 
amd64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2017-01-19 11:34:41 UTC 
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-21 20:38:19 UTC 
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Göktürk Yüksek archtester gentoo-dev 2017-01-21 21:00:29 UTC 
commit 4cb763302f57bbfc6453dcfa1ee1d5b762852058
Author: Göktürk Yüksek <gokturk@gentoo.org>
Date:   Sat Jan 21 15:59:37 2017 -0500

    net-fs/davfs2: remove vulnerable version #606448
    
    Package-Manager: portage-2.3.0
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-21 23:31:03 UTC 
No PoC for ACE/RCE, downgraded to B3.

GLSA Vote: No

Repository is clean.