Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 861803 (CVE-2022-2509) - <net-libs/gnutls-3.7.7: Double free in PKCS7 signature verification
Summary: <net-libs/gnutls-3.7.7: Double free in PKCS7 signature verification
Status: IN_PROGRESS
Alias: CVE-2022-2509
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on: 866235
Blocks:
  Show dependency tree
 
Reported: 2022-07-29 05:11 UTC by Sam James
Modified: 2024-10-13 08:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-07-29 05:11:53 UTC
From 3.7.7 release notes:
** libgnutls: Fixed double free during verification of pkcs7 signatures.
Reported by Jaak Ristioja (#1383). [GNUTLS-SA-2022-07-07, CVSS: medium][CVE-2022-2509]

https://gitlab.com/gnutls/gnutls/-/issues/1383 isn't made public yet.
Comment 1 Larry the Git Cow gentoo-dev 2022-07-29 05:14:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a51aa34ac6e479cdbc4df45461dd5f70bb24d8ff

commit a51aa34ac6e479cdbc4df45461dd5f70bb24d8ff
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-07-29 05:14:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-29 05:14:31 +0000

    net-libs/gnutls: add 3.7.7
    
    Bug: https://bugs.gentoo.org/861803
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/gnutls/Manifest            |   2 +
 net-libs/gnutls/gnutls-3.7.7.ebuild | 144 ++++++++++++++++++++++++++++++++++++
 2 files changed, 146 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2023-10-08 08:11:12 UTC
Ping. Please remove vulnerable version gnutls-3.7.6.
Comment 3 Hans de Graaff gentoo-dev Security 2024-04-05 09:20:31 UTC
commit 6ebf59f39cd74d9f923e58850ec66b51ab32bfb7
Author: Sam James <sam@gentoo.org>
Date:   Fri Mar 22 05:04:07 2024 +0000

    net-libs/gnutls: drop 3.7.6, 3.7.7