From the NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39976 ``` log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered. ``` Reproducible: Always
Looks like this is fixed in 2.0.8: https://github.com/ClusterLabs/libqb/releases/tag/v2.0.8
On ChromeOS we have moved to libqqb 2.0.8 with the same ebuild as 2.0.4 with just a name change and the newer source archive + digests. https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/5177738
(In reply to Allen Webb from comment #2) > On ChromeOS we have moved to libqqb 2.0.8 with the same ebuild as 2.0.4 with > just a name change and the newer source archive + digests. > > https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos- > overlay/+/5177738 Care to make a PR? :)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b77e756584b035aedf67e85070e578e245e05ea commit 6b77e756584b035aedf67e85070e578e245e05ea Author: Christopher Fore <csfore@posteo.net> AuthorDate: 2024-04-22 23:30:35 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-05-03 11:53:39 +0000 sys-cluster/libqb: add 2.0.8, security bump - Bump EAPI 7 -> 8 - Tests pass Bug: https://bugs.gentoo.org/919157 Signed-off-by: Christopher Fore <csfore@posteo.net> Closes: https://github.com/gentoo/gentoo/pull/36368 Signed-off-by: Sam James <sam@gentoo.org> sys-cluster/libqb/Manifest | 1 + sys-cluster/libqb/libqb-2.0.8.ebuild | 68 ++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+)
