Description: "Stack-based buffer overflow in the isofs_real_readdir function in isofs.c in FuseISO 20070708 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long pathname in an ISO file." URL: https://bugzilla.redhat.com/show_bug.cgi?id=863091 URL: https://bugzilla.redhat.com/show_bug.cgi?id=862211 URL: https://www.debian.org/security/2016/dsa-3551 Patches: * https://sources.debian.org/patches/fuseiso/20070708-3.2/02-prevent-buffer-overflow.patch/ (for this vulnerability) * https://sources.debian.org/patches/fuseiso/20070708-3.2/03-prevent-integer-overflow.patch/ (a separate integer overflow issue)
@maintainer(s), please create a suitable ebuild (IMO: apply the patches from Debian linked above).
@maintainer, ping.
ping..
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=675031ceeb5731701376347641f857d3d00c8322 commit 675031ceeb5731701376347641f857d3d00c8322 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-19 19:06:17 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-19 19:06:17 +0000 sys-fs/fuseiso: revbump for security patches This fixes CVE-2015-8837 and another possible vulnerability using patches from Debian. Bug: https://bugs.gentoo.org/713328 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> .../files/fuseiso-20070708-CVE-2015-8837.patch | 35 ++++++++++++++++++++++ .../files/fuseiso-20070708-integer-overflow.patch | 16 ++++++++++ sys-fs/fuseiso/fuseiso-20070708-r3.ebuild | 28 +++++++++++++++++ 3 files changed, 79 insertions(+)
x86 stable
amd64 stable. Please cleanup.
This issue was resolved and addressed in GLSA 202007-20 at https://security.gentoo.org/glsa/202007-20 by GLSA coordinator Sam James (sam_c).
(In reply to GLSAMaker/CVETool Bot from comment #7) > This issue was resolved and addressed in > GLSA 202007-20 at https://security.gentoo.org/glsa/202007-20 > by GLSA coordinator Sam James (sam_c). Reopening for cleanup.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f21c97c1fbade4e7fadee7a1e18b880976164416 commit f21c97c1fbade4e7fadee7a1e18b880976164416 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-27 02:31:16 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-27 03:15:17 +0000 sys-fs/fuseiso: security cleanup Closes: https://bugs.gentoo.org/713328 Package-Manager: Portage-3.0.0, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> sys-fs/fuseiso/fuseiso-20070708-r2.ebuild | 22 ---------------------- 1 file changed, 22 deletions(-)