CVE-2022-2652: Depending on the way the format strings in the card label are crafted it's possible to leak kernel stack memory. There is also the possibility for DoS due to the v4l2loopback kernel module crashing when providing the card label on request (reproduce e.g. with many %s modifiers in a row). Unreleased patch: https://github.com/umlaeute/v4l2loopback/commit/e4cd225557486c420f6a34411f98c575effd43dd
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=032d9f3e8f89b760dc4d179a79128ae0490387b7 commit 032d9f3e8f89b760dc4d179a79128ae0490387b7 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2023-06-21 08:25:15 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2023-06-21 08:29:43 +0000 media-video/v4l2loopback: migrate to linux-mod-r1.eclass, EAPI bump This should also fix Bug 843053 (please confirm that it works now) Should also fix the open CVE-2022-2652, the mentioned patch is in this release Bug: https://bugs.gentoo.org/864442 Bug: https://bugs.gentoo.org/843053 Closes: https://bugs.gentoo.org/888649 Closes: https://bugs.gentoo.org/908723 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> media-video/v4l2loopback/Manifest | 1 + .../v4l2loopback/v4l2loopback-0.12.7.ebuild | 59 ++++++++++++++++++++++ media-video/v4l2loopback/v4l2loopback-9999.ebuild | 19 +++---- 3 files changed, 70 insertions(+), 9 deletions(-)
Thanks! Please stable when ready
As far as I can tell this package never had stable versions. Please clean up vulnerable version 0.12.5-r1.
Version 0.12.5 was dropped in this commit: https://github.com/gentoo/gentoo/commit/84dfa7a5ba6b4bdeb0a53eb865d44aa437f31e19 This bug can be closed now.
