CVE-2023-33461: iniparser v4.1 is vulnerable to NULL Pointer Dereference in function iniparser_getlongint which misses check NULL for function iniparser_getstring's return.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d0191b1f3430240225b3e6c565f8ab6a9715996 commit 7d0191b1f3430240225b3e6c565f8ab6a9715996 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2023-06-07 07:41:05 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2023-06-07 07:42:49 +0000 dev-libs/iniparser: add patch for CVE-2023-33461 from upstream - drop old 3.1-r3 - drop obsolete patches - add patch from upstream for CVE-2023-33461 - drop my maintainership, portage-utils doesn't use this any more Bug: https://bugs.gentoo.org/907928 Signed-off-by: Fabian Groffen <grobian@gentoo.org> dev-libs/iniparser/Manifest | 1 - .../iniparser/files/iniparser-3.0-autotools.patch | 38 ----------- dev-libs/iniparser/files/iniparser-3.0b-cpp.patch | 45 ------------- .../files/iniparser-4.0-out-of-bounds-read.patch | 11 ---- .../files/iniparser-4.1-CVE-null-getstring.patch | 43 +++++++++++++ dev-libs/iniparser/iniparser-3.1-r3.ebuild | 50 --------------- dev-libs/iniparser/iniparser-4.1-r1.ebuild | 75 ++++++++++++++++++++++ dev-libs/iniparser/metadata.xml | 4 -- 8 files changed, 118 insertions(+), 149 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=39a9bd70a1e8d20932d232d407d4eeeb7af13dda commit 39a9bd70a1e8d20932d232d407d4eeeb7af13dda Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-07 09:07:36 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-07 09:09:22 +0000 sys-block/ndctl: add 77 Bug: https://bugs.gentoo.org/907928 Signed-off-by: Sam James <sam@gentoo.org> sys-block/ndctl/Manifest | 1 + sys-block/ndctl/files/ndctl-77-iniparser4.patch | 19 ++++++ sys-block/ndctl/ndctl-77.ebuild | 80 +++++++++++++++++++++++++ 3 files changed, 100 insertions(+)
Ping. Please file a stable bug for iniparser-4.1-r1 if possible.
Ping. Please remove the vulnerable versions 4.1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=05ad0949d64fe1065d92726dcd2f5c89e7b72c65 commit 05ad0949d64fe1065d92726dcd2f5c89e7b72c65 Author: Ben Kohler <bkohler@gentoo.org> AuthorDate: 2024-04-05 14:17:47 +0000 Commit: Ben Kohler <bkohler@gentoo.org> CommitDate: 2024-04-05 14:23:38 +0000 dev-libs/iniparser: drop 4.1 Bug: https://bugs.gentoo.org/907928 Signed-off-by: Ben Kohler <bkohler@gentoo.org> dev-libs/iniparser/iniparser-4.1.ebuild | 71 --------------------------------- 1 file changed, 71 deletions(-)
Thanks!
Hi! This is fixed upstream in iniparser-4.2.2. See https://github.com/gentoo/gentoo/pull/36797
