Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 907928 (CVE-2023-33461) - <dev-libs/iniparser-4.1-r1: null pointer dereference
Summary: <dev-libs/iniparser-4.1-r1: null pointer dereference
Status: CONFIRMED
Alias: CVE-2023-33461
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/ndevilla/iniparser...
Whiteboard: A3 [glsa?]
Keywords:
Depends on: 915688
Blocks:
  Show dependency tree
 
Reported: 2023-06-06 04:04 UTC by John Helmert III
Modified: 2024-04-05 14:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-06 04:04:53 UTC 
CVE-2023-33461:

iniparser v4.1 is vulnerable to NULL Pointer Dereference in function iniparser_getlongint which misses check NULL for function iniparser_getstring's return.
Comment 1 Larry the Git Cow gentoo-dev 2023-06-07 07:42:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d0191b1f3430240225b3e6c565f8ab6a9715996

commit 7d0191b1f3430240225b3e6c565f8ab6a9715996
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2023-06-07 07:41:05 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2023-06-07 07:42:49 +0000

    dev-libs/iniparser: add patch for CVE-2023-33461 from upstream
    
    - drop old 3.1-r3
    - drop obsolete patches
    - add patch from upstream for CVE-2023-33461
    - drop my maintainership, portage-utils doesn't use this any more
    
    Bug: https://bugs.gentoo.org/907928
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 dev-libs/iniparser/Manifest                        |  1 -
 .../iniparser/files/iniparser-3.0-autotools.patch  | 38 -----------
 dev-libs/iniparser/files/iniparser-3.0b-cpp.patch  | 45 -------------
 .../files/iniparser-4.0-out-of-bounds-read.patch   | 11 ----
 .../files/iniparser-4.1-CVE-null-getstring.patch   | 43 +++++++++++++
 dev-libs/iniparser/iniparser-3.1-r3.ebuild         | 50 ---------------
 dev-libs/iniparser/iniparser-4.1-r1.ebuild         | 75 ++++++++++++++++++++++
 dev-libs/iniparser/metadata.xml                    |  4 --
 8 files changed, 118 insertions(+), 149 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2023-06-07 09:10:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39a9bd70a1e8d20932d232d407d4eeeb7af13dda

commit 39a9bd70a1e8d20932d232d407d4eeeb7af13dda
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-06-07 09:07:36 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-06-07 09:09:22 +0000

    sys-block/ndctl: add 77
    
    Bug: https://bugs.gentoo.org/907928
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-block/ndctl/Manifest                        |  1 +
 sys-block/ndctl/files/ndctl-77-iniparser4.patch | 19 ++++++
 sys-block/ndctl/ndctl-77.ebuild                 | 80 +++++++++++++++++++++++++
 3 files changed, 100 insertions(+)
Comment 3 Hans de Graaff gentoo-dev Security 2023-10-13 14:55:59 UTC 
Ping. Please file a stable bug for iniparser-4.1-r1 if possible.
Comment 4 Hans de Graaff gentoo-dev Security 2024-04-05 09:22:47 UTC 
Ping. Please remove the vulnerable versions 4.1.
Comment 5 Larry the Git Cow gentoo-dev 2024-04-05 14:23:48 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05ad0949d64fe1065d92726dcd2f5c89e7b72c65

commit 05ad0949d64fe1065d92726dcd2f5c89e7b72c65
Author:     Ben Kohler <bkohler@gentoo.org>
AuthorDate: 2024-04-05 14:17:47 +0000
Commit:     Ben Kohler <bkohler@gentoo.org>
CommitDate: 2024-04-05 14:23:38 +0000

    dev-libs/iniparser: drop 4.1
    
    Bug: https://bugs.gentoo.org/907928
    
    Signed-off-by: Ben Kohler <bkohler@gentoo.org>

 dev-libs/iniparser/iniparser-4.1.ebuild | 71 ---------------------------------
 1 file changed, 71 deletions(-)
Comment 6 Hans de Graaff gentoo-dev Security 2024-04-05 14:57:44 UTC 
Thanks!