Bug 606448

Summary:	<net-fs/davfs-1.5.4: stack buffer overflow
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	gokturk
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://savannah.nongnu.org/forum/forum.php?forum_id=8501
Whiteboard:	B3 [noglsa]
Package list:	=net-fs/davfs2-1.5.4	Runtime testing required:	---

Description Hanno Böck gentoo-dev

2017-01-18 20:07:53 UTC

From upstream's changelog for 1.5.3:

"This release fixes a stack smashing error that only showed on 32-bit systems and when compiled with -fstack-protector-all."
https://savannah.nongnu.org/forum/forum.php?forum_id=8501

There are no more details, but this sounds like a security vulnerability. Given this is an implementation of a network protocol this is certainly worrying.

We already have 1.5.4 in the tree, we should stabilize it.

Comment 1 Agostino Sarubbo gentoo-dev

2017-01-19 11:26:06 UTC

amd64 stable

Comment 2 Agostino Sarubbo gentoo-dev

2017-01-19 11:34:41 UTC

x86 stable

Comment 3 Agostino Sarubbo gentoo-dev

2017-01-21 20:38:19 UTC

ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 4 Göktürk Yüksek archtester

2017-01-21 21:00:29 UTC

commit 4cb763302f57bbfc6453dcfa1ee1d5b762852058
Author: Göktürk Yüksek <gokturk@gentoo.org>
Date:   Sat Jan 21 15:59:37 2017 -0500

    net-fs/davfs2: remove vulnerable version #606448
    
    Package-Manager: portage-2.3.0

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-21 23:31:03 UTC

No PoC for ACE/RCE, downgraded to B3.

GLSA Vote: No

Repository is clean.