925725 – (CVE-2024-22857) dev-libs/zlog: heap overflow RCE

Bug 925725 (CVE-2024-22857) - dev-libs/zlog: heap overflow RCE

Summary: dev-libs/zlog: heap overflow RCE

Status:	RESOLVED OBSOLETE

Alias:	CVE-2024-22857

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://github.com/HardySimpson/zlog/...
Whiteboard:	~2 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2024-02-28 17:17 UTC by Hank Leininger
Modified:	2024-05-11 21:50 UTC (History)
CC List:	2 users (show)

See Also:	925342
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hank Leininger 2024-02-28 17:17:06 UTC

Full details not released yet, but a heap overflow leading to RCE has been reported in zlog up through the latest release, 1.2.17 (::gentoo has only 1.2.15). Upstream has not responded to private attempts for several months prior to the issue going public. CVE-2024-22857 has been reserved but not published yet at time of writing.

This is distinct from https://bugs.gentoo.org/837518 for which a fix exists but dev-libs/zlog was never bumped.

dev-libs/zlog has already started last-rites here: https://bugs.gentoo.org/925342

Comment 1 John Helmert III archtester

2024-03-01 05:17:42 UTC

Thanks for reporting!

Comment 2 Michał Górny archtester

2024-03-29 14:53:19 UTC

Package removed.