617326 – dev-libs/librevenge: Container-overflow in librevenge::RVNGStringStreamPrivate::RVNGStringStreamPrivate

Bug 617326 - dev-libs/librevenge: Container-overflow in librevenge::RVNGStringStreamPrivate::RVNGStringStreamPrivate

Summary: dev-libs/librevenge: Container-overflow in librevenge::RVNGStringStreamPrivat...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://bugs.chromium.org/p/oss-fuzz/...
Whiteboard:	A3 [upstream/ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2017-05-03 12:03 UTC by Agostino Sarubbo
Modified:	2017-05-03 19:05 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2017-05-03 12:03:53 UTC

OSS-Fuzz is a Continuous Fuzzing for Open Source Software.

When a bug is found, it is filed on bugs.chromium.org instead of the upstream's bugzilla.
If the bug at $URL is public, that means that the issue has been fixed in the upstream git repository, so when upstream does not add anything useful in that place, you can:
1) Check the range date when ClusterFuzz has detected that the issue has been fixed and dig into upstream git repository;
2) Check if upstream made a new release after the issue has been fixed;
3) Get in touch with upstream.

See $URL for more details about the issue.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Andreas K. Hüttel archtester

2017-05-03 19:05:26 UTC

1) the linked commit is not in librevenge
2) the linked commit does not refer to this problem at all

Please add more info, otherwise this is a waste of time.