From 3.2.0 release notes: "Various zlib fixes, including security fixes for CVE-2016-9843, CVE-2016-9842, CVE-2016-9841, and CVE-2016-9840." Also: "Avoid a potential out-of-bounds read in daemon mode if argc can be made to become 0."
[Note that USE=system-zlib is not vulnerable to this, because of the fixes in bug 601828].
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f8b0a10cde068cb69c2714a61b5f8d00e96ea99 commit 9f8b0a10cde068cb69c2714a61b5f8d00e96ea99 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-20 01:20:59 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-20 01:28:09 +0000 net-misc/rsync: Bump to version 3.2.0. Removed old Bug: https://bugs.gentoo.org/728852 Package-Manager: Portage-2.3.101, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-misc/rsync/Manifest | 2 +- net-misc/rsync/files/rsync-3.2.0-simd_check.patch | 24 ++++++++++++++++++++++ .../rsync/files/rsync-3.2.0_pre3-simd_check.patch | 24 ---------------------- ...{rsync-3.2.0_pre3.ebuild => rsync-3.2.0.ebuild} | 4 ++-- 4 files changed, 27 insertions(+), 27 deletions(-)
Unable to check for sanity: > no match for package: net-misc/rsync-3.2.0
x86 stable
arm64 stable
arm stable
ppc stable
ppc64 stable
s390 stable
hppa/sparc stable
amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5eb79a6c9300e9385ffb6eac6fff0ef041bef693 commit 5eb79a6c9300e9385ffb6eac6fff0ef041bef693 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-06-25 08:22:20 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-06-25 08:34:41 +0000 net-misc/rsync: Security cleanup Bug: https://bugs.gentoo.org/728852 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-misc/rsync/Manifest | 1 - net-misc/rsync/rsync-3.1.3.ebuild | 91 --------------------------------------- 2 files changed, 92 deletions(-)
commit 98406e6c893975bb61cddd26dfbb083bc03c6cb4 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Thu Jun 25 11:19:46 2020 Revert "net-misc/rsync: Security cleanup" This reverts commit 5eb79a6c9300e9385ffb6eac6fff0ef041bef693. because >=rsync-3.2.0 has no riscv keyword yet Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Cleanup done.
This issue was resolved and addressed in GLSA 202007-54 at https://security.gentoo.org/glsa/202007-54 by GLSA coordinator Sam James (sam_c).