Summary: | <dev-libs/libressl-2.2.4: Memory Leak and Buffer Overflow (CVE-2015-{5333,5334}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Chí-Thanh Christopher Nguyễn <chithanh> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hasufell |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2015/q4/87 | ||
Whiteboard: | ~1 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Chí-Thanh Christopher Nguyễn
2015-10-16 13:22:55 UTC
To answer ago's questions from the ${URL} followup: All released versions up to 2.3.0 are affected. The commits which fix the memory leak and buffer overflow are presumably: https://github.com/libressl-portable/openbsd/commit/ea13bdff130f93ab673b45fc299e56a4c5a821e4 https://github.com/libressl-portable/openbsd/commit/f292734cabfd94223388c7a59ed940e850b26649 Plus some more which appear to be related, but not directly fix any security vulnerability in that CVE. (In reply to Chí-Thanh Christopher Nguyễn from comment #1) > To answer ago's questions from the ${URL} followup: > All released versions up to 2.3.0 are affected. > That's not entirely correct, because it is fixed in 2.2.4, which is the stable branch. http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/007_obj2txt.patch.sig https://github.com/libressl-portable/portable/blob/v2.2.4/ChangeLog#L35 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0171d63fb6075caf0db45f1d26ff18556afb5ab5 https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01b218d46346e441cd768f2f8e985abb14bbb6ab Package never stabilized. |