674354 – <dev-libs/uriparser-0.9.1: out-of-bounds read

Bug 674354 - <dev-libs/uriparser-0.9.1: out-of-bounds read

Summary: <dev-libs/uriparser-0.9.1: out-of-bounds read

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2019-01-02 17:18 UTC by Sebastian Pipping
Modified:	2019-04-04 20:48 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=dev-libs/uriparser-0.9.1 =dev-cpp/gtest-1.8.1
Runtime testing required:	No

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Pipping gentoo-dev

2019-01-02 17:18:03 UTC

Related change log entry:
https://github.com/uriparser/uriparser/blob/uriparser-0.9.1/ChangeLog#L9

Any objections to stabilize 0.9.1 a bit quicker for security?
No objections to dropping all other versions from my side.


# eshowkw 
Keywords for dev-libs/uriparser:
            |                           a     |       |  
            |                           m     |       |  
            |                           d   x |       |  
            |                           6   8 |       |  
            |                           4   6 |   u   |  
            | a a   a     p           s |   | |   n   |  
            | l m   r i   p   h m s   p f m f | e u s | r
            | p d a m a p c x p 6 3   a b i b | a s l | e
            | h 6 r 6 6 p 6 8 p 8 9 s r s p s | p e o | p
            | a 4 m 4 4 c 4 6 a k 0 h c d s d | i d t | o
------------+---------------------------------+-------+-------
   0.8.4-r1 | o + ~ o o + ~ + o o o o o o o o | 6 o 0 | gentoo
   0.8.5    | o ~ ~ o o ~ ~ ~ o o o o o o o o | 6 #   | gentoo
   0.8.6    | o ~ ~ o o ~ ~ ~ o o o o o o o o | 6 #   | gentoo
   0.9.0    | o ~ ~ o o ~ ~ ~ o o o o o o o o | 7 #   | gentoo
[I]0.9.1    | o ~ ~ o o ~ ~ ~ o o o o o o o o | 7 o   | gentoo

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2019-03-24 02:19:05 UTC

@arches, please stabilize.

Comment 2 Stabilization helper bot gentoo-dev

2019-03-24 03:01:44 UTC

An automated check of this bug failed - repoman reported dependency errors (47 lines truncated): 

> dependency.bad dev-libs/uriparser/uriparser-0.9.1.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-cpp/gtest-1.8.1']
> dependency.bad dev-libs/uriparser/uriparser-0.9.1.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-cpp/gtest-1.8.1']
> dependency.bad dev-libs/uriparser/uriparser-0.9.1.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop/gnome) ['>=dev-cpp/gtest-1.8.1']

Comment 3 Yury German Gentoo Infrastructure

2019-03-24 23:35:31 UTC

GLSA Vote: No

Please continue with stabilization

Comment 4 ernsteiswuerfel archtester

2019-03-27 13:37:09 UTC

Looking good on ppc.

# cat uriparser-674354.report 
USE tests started on Mi 27. Mär 13:51:36 CET 2019

FEATURES=' test' USE='' succeeded for =dev-libs/uriparser-0.9.1
USE='-doc -qt5 -unicode' succeeded for =dev-libs/uriparser-0.9.1
USE='doc -qt5 -unicode' succeeded for =dev-libs/uriparser-0.9.1
USE='-doc qt5 -unicode' succeeded for =dev-libs/uriparser-0.9.1
USE='doc qt5 -unicode' succeeded for =dev-libs/uriparser-0.9.1
USE='-doc -qt5 unicode' succeeded for =dev-libs/uriparser-0.9.1
USE='doc -qt5 unicode' succeeded for =dev-libs/uriparser-0.9.1
USE='-doc qt5 unicode' succeeded for =dev-libs/uriparser-0.9.1
USE='doc qt5 unicode' succeeded for =dev-libs/uriparser-0.9.1

FEATURES=' test' USE='' succeeded for =dev-cpp/gtest-1.8.1
USE='-doc -examples' succeeded for =dev-cpp/gtest-1.8.1
USE='doc -examples' succeeded for =dev-cpp/gtest-1.8.1
USE='-doc examples' succeeded for =dev-cpp/gtest-1.8.1
USE='doc examples' succeeded for =dev-cpp/gtest-1.8.1

revdep tests started on Mi 27. Mär 14:04:45 CET 2019

FEATURES=' test' USE='' succeeded for media-libs/libxspf
FEATURES=' test' USE='xspf' succeeded for media-sound/fapg

Comment 5 Agostino Sarubbo gentoo-dev

2019-03-27 20:05:15 UTC

amd64 stable

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2019-03-27 23:47:09 UTC

x86 stable

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2019-03-28 00:07:46 UTC

@maintainer(s), please drop vulnerable.

ppc stable thanks to ernsteiswuerfel!

Comment 8 Larry the Git Cow gentoo-dev

2019-03-31 20:09:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=624bab09f7e792baea6716ade0746499497b34d6

commit 624bab09f7e792baea6716ade0746499497b34d6
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2019-03-31 20:08:31 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2019-03-31 20:09:18 +0000

    dev-libs/uriparser: Remove vulnerable
    
    Bug: https://bugs.gentoo.org/674354
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-2.3.62, Repoman-2.3.12

 dev-libs/uriparser/Manifest                        |  4 --
 .../files/uriparser-0.8.4-doc-install.patch        | 13 ------
 dev-libs/uriparser/uriparser-0.8.4-r1.ebuild       | 51 ----------------------
 dev-libs/uriparser/uriparser-0.8.5.ebuild          | 42 ------------------
 dev-libs/uriparser/uriparser-0.8.6.ebuild          | 42 ------------------
 dev-libs/uriparser/uriparser-0.9.0.ebuild          | 41 -----------------
 6 files changed, 193 deletions(-)

Comment 9 Yury German Gentoo Infrastructure

2019-04-02 06:34:24 UTC

Arches and Maintainer(s), Thank you for your work.