Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 905098 - <net-libs/libsignal-protocol-c-2.3.3-r1: unsigned integer overflow in bundled protobuf-c
Summary: <net-libs/libsignal-protocol-c-2.3.3-r1: unsigned integer overflow in bundled...
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa?]
Keywords: PullRequest
Depends on: 907123
Blocks: CVE-2022-48468
  Show dependency tree
 
Reported: 2023-04-26 03:38 UTC by Randy Barlow
Modified: 2023-06-18 23:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Randy Barlow 2023-04-26 03:38:29 UTC
Greetings!

I maintain libsignal-protocol-c in Fedora, and it was recently reported to me that it's bundled protobuf-c was vulnerable to CVE-2022-48468. I had the thought that Gentoo might have the same vulnerability and I checked I think it likely does.

Here are some reference links about the issue:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468
https://bugzilla.redhat.com/show_bug.cgi?id=2186673

For reference, here is the commit I made in Fedora to address the issue, which includes a patch:

https://src.fedoraproject.org/rpms/libsignal-protocol-c/c/152eb06d164e7973fda49139bc5a51f3b23c0cf6?branch=rawhide
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-26 03:43:33 UTC
Thanks! It looks like we don't do any unbundling in the ebuild, so probably vulnerable?
Comment 2 Randy Barlow 2023-04-26 03:51:26 UTC
Hi John!

I think so, as it looks like Gentoo is just building the upstream tarball as-is, like Fedora was doing.

I opened https://github.com/gentoo/gentoo/pull/30764 for this to bring the Fedora patch over (though I realized that I'd messed up the From header in the Fedora patch so I changed it for the Gentoo one - I used the first person voice but made it look like one of the upstream patch authors had written the commit message. Whoops! I'll go make that same fix in Fedora now… ☺)
Comment 3 Larry the Git Cow gentoo-dev 2023-05-18 07:39:22 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2e3eb85c45e83591be7faee69d58af55a10f8f4

commit c2e3eb85c45e83591be7faee69d58af55a10f8f4
Author:     Randy Barlow <randy@electronsweatshop.com>
AuthorDate: 2023-04-26 03:45:40 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-05-18 07:26:00 +0000

    net-libs/libsignal-protocol-c: Fix CVE-2022-48468
    
    This commit fixes CVE-2022-48468 for this package's bundled
    protobuf-c.
    
    Here are some reference links about the issue:
    
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468
    https://bugzilla.redhat.com/show_bug.cgi?id=2186673
    
    For reference, here is the commit I made in Fedora to address the issue,
    which includes this patch:
    
    https://src.fedoraproject.org/rpms/libsignal-protocol-c/c/152eb06d164e7973fda49139bc5a51f3b23c0cf6?branch=rawhide
    
    Closes: https://bugs.gentoo.org/905098
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
    Closes: https://github.com/gentoo/gentoo/pull/30764
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 ...libsignal-protocol-c-2.3.3-CVE-2022-48468.patch | 53 ++++++++++++++++++++++
 .../libsignal-protocol-c-2.3.3-r1.ebuild           | 18 ++++++++
 2 files changed, 71 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-25 03:25:42 UTC
Thanks! Please stable when ready.
Comment 5 Larry the Git Cow gentoo-dev 2023-06-13 09:30:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4c1bd5eda9b7de001b586211455245e58b60856

commit f4c1bd5eda9b7de001b586211455245e58b60856
Author:     Randy Barlow <randy@electronsweatshop.com>
AuthorDate: 2023-06-06 21:54:17 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2023-06-13 09:29:57 +0000

    net-libs/libsignal-protocol-c: Drop 2.3.3
    
    This ebuild is vulnerable to CVE-2022-48468 and is superceded by
    libsignal-protocol-c-2.3.3-r1.ebuild, which remains in tree.
    
    Bug: https://bugs.gentoo.org/905098
    Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
    Closes: https://github.com/gentoo/gentoo/pull/31334
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 .../libsignal-protocol-c/libsignal-protocol-c-2.3.3.ebuild | 14 --------------
 1 file changed, 14 deletions(-)