Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717704 - <dev-libs/librdkafka-1.4.0: multiple vulnerabilities
Summary: <dev-libs/librdkafka-1.4.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/edenhill/librdkafk...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-16 12:10 UTC by Thomas Deutschmann (RETIRED)
Modified: 2020-04-30 23:36 UTC (History)
0 users

See Also:
Package list:
dev-libs/librdkafka-1.4.0 amd64 arm hppa x86
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-16 12:10:45 UTC 
From $URL:

> Security fixes
> 
> Two security issues have been identified in the SASL SCRAM protocol handler:
> 
>     The client nonce, which is expected to be a random string, was a static string.
>     If sasl.username and sasl.password contained characters that needed escaping, a buffer overflow and heap corruption would occur. This was protected, but too late, by an assertion.
> 
> Both of these issues are fixed in this release.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-17 20:23:14 UTC 
arm64 stable
Comment 2 Agostino Sarubbo gentoo-dev 2020-04-23 06:20:43 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-04-23 06:23:14 UTC 
arm stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-04-23 06:31:10 UTC 
x86 stable
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-23 14:42:13 UTC 
GLSA Vote: No
Comment 6 Rolf Eike Beer archtester 2020-04-30 07:00:26 UTC 
hppa stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-30 09:14:19 UTC 
@maintainer(s), please cleanup
Comment 8 Larry the Git Cow gentoo-dev 2020-04-30 23:36:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d43aca579cd3e0fa62569c2030f82db85c9bcb8e

commit d43aca579cd3e0fa62569c2030f82db85c9bcb8e
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-04-30 23:36:00 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-04-30 23:36:09 +0000

    dev-libs/librdkafka: security cleanup
    
    Bug: https://bugs.gentoo.org/717704
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/librdkafka/Manifest                       |  4 --
 ...librdkafka-1.1.0-remove-automagic-on-zstd.patch | 29 --------
 dev-libs/librdkafka/librdkafka-1.1.0.ebuild        | 78 ----------------------
 dev-libs/librdkafka/librdkafka-1.2.1.ebuild        | 76 ---------------------
 dev-libs/librdkafka/librdkafka-1.2.2.ebuild        | 76 ---------------------
 dev-libs/librdkafka/librdkafka-1.3.0.ebuild        | 76 ---------------------
 6 files changed, 339 deletions(-)
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-30 23:36:48 UTC 
Repository is clean, all done!