Greetings! I maintain libsignal-protocol-c in Fedora, and it was recently reported to me that it's bundled protobuf-c was vulnerable to CVE-2022-48468. I had the thought that Gentoo might have the same vulnerability and I checked I think it likely does. Here are some reference links about the issue: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468 https://bugzilla.redhat.com/show_bug.cgi?id=2186673 For reference, here is the commit I made in Fedora to address the issue, which includes a patch: https://src.fedoraproject.org/rpms/libsignal-protocol-c/c/152eb06d164e7973fda49139bc5a51f3b23c0cf6?branch=rawhide
Thanks! It looks like we don't do any unbundling in the ebuild, so probably vulnerable?
Hi John! I think so, as it looks like Gentoo is just building the upstream tarball as-is, like Fedora was doing. I opened https://github.com/gentoo/gentoo/pull/30764 for this to bring the Fedora patch over (though I realized that I'd messed up the From header in the Fedora patch so I changed it for the Gentoo one - I used the first person voice but made it look like one of the upstream patch authors had written the commit message. Whoops! I'll go make that same fix in Fedora now… ☺)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2e3eb85c45e83591be7faee69d58af55a10f8f4 commit c2e3eb85c45e83591be7faee69d58af55a10f8f4 Author: Randy Barlow <randy@electronsweatshop.com> AuthorDate: 2023-04-26 03:45:40 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-05-18 07:26:00 +0000 net-libs/libsignal-protocol-c: Fix CVE-2022-48468 This commit fixes CVE-2022-48468 for this package's bundled protobuf-c. Here are some reference links about the issue: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48468 https://bugzilla.redhat.com/show_bug.cgi?id=2186673 For reference, here is the commit I made in Fedora to address the issue, which includes this patch: https://src.fedoraproject.org/rpms/libsignal-protocol-c/c/152eb06d164e7973fda49139bc5a51f3b23c0cf6?branch=rawhide Closes: https://bugs.gentoo.org/905098 Signed-off-by: Randy Barlow <randy@electronsweatshop.com> Closes: https://github.com/gentoo/gentoo/pull/30764 Signed-off-by: Joonas Niilola <juippis@gentoo.org> ...libsignal-protocol-c-2.3.3-CVE-2022-48468.patch | 53 ++++++++++++++++++++++ .../libsignal-protocol-c-2.3.3-r1.ebuild | 18 ++++++++ 2 files changed, 71 insertions(+)
Thanks! Please stable when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4c1bd5eda9b7de001b586211455245e58b60856 commit f4c1bd5eda9b7de001b586211455245e58b60856 Author: Randy Barlow <randy@electronsweatshop.com> AuthorDate: 2023-06-06 21:54:17 +0000 Commit: Viorel Munteanu <ceamac@gentoo.org> CommitDate: 2023-06-13 09:29:57 +0000 net-libs/libsignal-protocol-c: Drop 2.3.3 This ebuild is vulnerable to CVE-2022-48468 and is superceded by libsignal-protocol-c-2.3.3-r1.ebuild, which remains in tree. Bug: https://bugs.gentoo.org/905098 Signed-off-by: Randy Barlow <randy@electronsweatshop.com> Closes: https://github.com/gentoo/gentoo/pull/31334 Signed-off-by: Viorel Munteanu <ceamac@gentoo.org> .../libsignal-protocol-c/libsignal-protocol-c-2.3.3.ebuild | 14 -------------- 1 file changed, 14 deletions(-)