1) CVE-2017-7476 Description: "Gnulib before 2017-04-26 has a heap-based buffer overflow with the TZ environment variable. The error is in the save_abbr function in time_rz.c." Patch: https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=94e01571507835ff59dd8ce2a0b56a4b566965a4 2) CVE-2018-17942 Description: "The convert_to_decimal function in vasnprintf.c in Gnulib before 2018-09-23 has a heap-based buffer overflow because memory is not allocated for a trailing '\0' character during %f processing." Patch: https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=278b4175c9d7dd47c1a3071554aac02add3b3c35
Note that this did affect coreutils, but the affected versions are out of tree now. Vulnerability 1) https://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commit;h=9287ef2b1707e2a222f8ae776ce3785abcb16fba (fixed in coreutils 8.28) Vulnerability 2) https://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commit;h=9c3730e601b72b4478e81d3c75e06ede4cfd93bc (this is the first sync w/ gnulib after the fix, looks like first release after this was 8.31). -- Also, for vulnerability 1, a URL: https://bugzilla.redhat.com/show_bug.cgi?id=1444774
(In reply to sam_c (Security Padawan) from comment #1) > Note that this did affect coreutils, but the affected versions are out of > tree now. > Sorry, please ignore this part for now. This is not clear wrt vulnerability 2. > Vulnerability 2) > https://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commit; > h=9c3730e601b72b4478e81d3c75e06ede4cfd93bc (this is the first sync w/ gnulib > after the fix, looks like first release after this was 8.31). > Fedora: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4ZP6L5HXDOVKYTM5ELLYE64H75MT4LZR/ So it looks like this might indeed affect coreutils < 8.31.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdb4e687666320e19dd8bc2b3565b01e08e88788 commit bdb4e687666320e19dd8bc2b3565b01e08e88788 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-03-18 05:57:14 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-03-18 05:57:14 +0000 dev-libs/gnulib: remove vulnerable versions Bug: https://bugs.gentoo.org/713104 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Fabian Groffen <grobian@gentoo.org> dev-libs/gnulib/Manifest | 2 -- dev-libs/gnulib/gnulib-2016.12.21.08.39.01.ebuild | 43 ----------------------- dev-libs/gnulib/gnulib-2017.12.19.15.53.47.ebuild | 43 ----------------------- 3 files changed, 88 deletions(-)
Closing because tree clean and noglsa.