Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 799782 (CVE-2021-36082) - <net-libs/nDPI-4.0: stack buffer overflow in processClientServerHello (CVE-2021-36082)
Summary: <net-libs/nDPI-4.0: stack buffer overflow in processClientServerHello (CVE-20...
Status: RESOLVED FIXED
Alias: CVE-2021-36082
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugs.chromium.org/p/oss-fuzz/...
Whiteboard: ~2 [noglsa]
Keywords:
Depends on: 830403
Blocks:
  Show dependency tree
 
Reported: 2021-07-02 01:24 UTC by John Helmert III
Modified: 2022-08-16 21:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-02 01:24:26 UTC
CVE-2021-36082:

ntop nDPI 3.4 has a stack-based buffer overflow in processClientServerHello.

Patch: https://github.com/ntop/nDPI/commit/1ec621c85b9411cc611652fd57a892cfef478af3
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:21:15 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:29:23 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:37:20 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:45:26 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:53:31 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:01:24 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:09:46 UTC
Package list is empty or all packages have requested keywords.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 17:13:01 UTC
Released in nDPI-4
Comment 9 Larry the Git Cow gentoo-dev 2022-01-03 11:23:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39868efcc6779ea5e5272c3434e4a59f0bae9aa1

commit 39868efcc6779ea5e5272c3434e4a59f0bae9aa1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-03 11:20:05 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-03 11:21:21 +0000

    net-analyzer/ntopng: add 5.0
    
    As with nDPI, aware of the ar-directly and other similar bugs,
    but am trying to address this first upstream & go from there.
    
    Bug: https://bugs.gentoo.org/799782
    Bug: https://bugs.gentoo.org/830403
    Signed-off-by: Sam James <sam@gentoo.org>

 net-analyzer/ntopng/Manifest          |  1 +
 net-analyzer/ntopng/ntopng-5.0.ebuild | 92 +++++++++++++++++++++++++++++++++++
 2 files changed, 93 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa4c91dd460e1604ec58cc6b3531e8170812da3f

commit fa4c91dd460e1604ec58cc6b3531e8170812da3f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-01-03 10:50:06 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-01-03 11:21:20 +0000

    net-libs/nDPI: add 4.0
    
    Includes a patch which adds an API to allow ntopong to work too.
    
    (Working on ar/other build system patches upstream.)
    
    Bug: https://bugs.gentoo.org/799782
    Bug: https://bugs.gentoo.org/625730
    Closes: https://bugs.gentoo.org/830403
    Thanks-to: Larry Sexton <sexton.larry048@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/nDPI/Manifest         |  2 ++
 net-libs/nDPI/nDPI-4.0.ebuild  | 59 ++++++++++++++++++++++++++++++++++++
 net-libs/nDPI/nDPI-9999.ebuild | 68 ++++++++++++++++++++----------------------
 3 files changed, 93 insertions(+), 36 deletions(-)
Comment 10 Larry the Git Cow gentoo-dev 2022-08-16 21:24:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=264f9235c9e09fa072e972c5587c4373d8c015f1

commit 264f9235c9e09fa072e972c5587c4373d8c015f1
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-16 21:23:11 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-16 21:23:11 +0000

    net-libs/nDPI: drop 3.4
    
    Bug: https://bugs.gentoo.org/799782
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 net-libs/nDPI/Manifest                             |  1 -
 .../files/nDPI-3.4-configure-fail-libcap.patch     | 19 -------
 .../nDPI-3.4-fix-oob-in-kerberos-dissector.patch   | 16 ------
 net-libs/nDPI/nDPI-3.4.ebuild                      | 65 ----------------------
 4 files changed, 101 deletions(-)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-16 21:24:47 UTC
Tree is clean, all done