Summary: | <app-arch/bzip2-1.0.6-r8: heap use after free in bzip2recover | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Andrey Ovcharov <sudormrfhalt> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | ago, base-system, jstein | ||||
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | A3 [glsa cve] | ||||||
Package list: |
=app-arch/bzip2-1.0.6-r8
|
Runtime testing required: | --- | ||||
Attachments: |
|
Thank you commit fd4e6acf26c5766cfe17b4d1be223afcd0bab1e0 (HEAD -> master, origin/master, origin/HEAD) Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sat Jun 3 13:48:46 2017 app-arch/bzip2: Security revbump to fix CVE-2016-3189 (bug #620466). Package-Manager: Portage-2.3.6, Repoman-2.3.2 Arches please test and mark stable =app-arch/bzip2-1.0.6-r8 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd A duplicate of 586670, however, a READ issue in a command line tool is not considered cve-worthy, so this is not a security issue at all. amd64 stable x86 stable Stable on alpha. ia64 stable *** Bug 586670 has been marked as a duplicate of this bug. *** New GLSA request filed. arm stable sparc stable ppc64 stable ppc stable Arches or maintainers please stabilize for Hippo ASAP. Security will release GLSA for this in 7 days with or without hppa arch being stable. This issue was resolved and addressed in GLSA 201708-08 at https://security.gentoo.org/glsa/201708-08 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architecture. hppa stabilization (see Bug #629554) Maintainer(s), please drop the vulnerable version(s). stable for hppa (thank to Dakon) Last arch is done here. Thank you, @Maintainers please let us know when all vulnerable versions are dropped from tree. Gentoo Security Padawan ChrisADR Maintainer(s), please drop the vulnerable version(s). New month (October), vulnerable version still in tree. Cleaned up via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6eb83da9c38ad23a3dd6acdb8691dd51de94bc5 Repository is clean, all done. |
Created attachment 475058 [details, diff] CVE-2016-3189.patch current app-arch/bzip2-1.0.6-r7 affected CVE-2016-3189