Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 629352 (CVE-2017-13755, CVE-2017-13756, CVE-2017-13760)

Summary: <app-forensics/sleuthkit-4.5.0: multiple vulnerabilities
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: glsamaker, gokturk
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/sleuthkit/sleuthkit/issues/906
Whiteboard: B3 [noglsa cve]
Package list:
=app-forensics/sleuthkit-4.5.0
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2017-08-30 07:59:07 UTC
CVE-2017-13760 (https://nvd.nist.gov/vuln/detail/CVE-2017-13760):

In The Sleuth Kit (TSK) 4.4.2, fls hangs on a corrupt exfat image in tsk_img_read() in tsk/img/img_io.c in libtskimg.a.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2017-08-30 08:01:53 UTC
CVE-2017-13756:
In The Sleuth Kit (TSK) 4.4.2, opening a crafted disk image triggers infinite recursion in dos_load_ext_table() in tsk/vs/dos.c in libtskvs.a, as demonstrated by mmls.

CVE-2017-13755:
In The Sleuth Kit (TSK) 4.4.2, opening a crafted ISO 9660 image triggers an out-of-bounds read in iso9660_proc_dir() in tsk/fs/iso9660_dent.c in libtskfs.a, as demonstrated by fls.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-23 22:51:26 UTC
*** Bug 635232 has been marked as a duplicate of this bug. ***
Comment 3 Göktürk Yüksek archtester gentoo-dev 2017-10-23 23:50:05 UTC
I confirm that the 4.4.2 in the tree is vulnerable to all three CVEs
Comment 4 Larry the Git Cow gentoo-dev 2017-11-08 23:56:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1029e7bca66676be009d086091823465f107bd2e

commit 1029e7bca66676be009d086091823465f107bd2e
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2017-11-08 23:55:59 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2017-11-08 23:55:59 +0000

    app-forensics/sleuthkit: remove vulnerable version 4.4.2 #629352
    
    This version is vulnerable to the following CVEs:
      CVE-2017-13755, CVE-2017-13756, CVE-2017-13760
    
    Bug: https://bugs.gentoo.org/629352
    Package-Manager: Portage-2.3.8, Repoman-2.3.2

 app-forensics/sleuthkit/Manifest               |   1 -
 app-forensics/sleuthkit/sleuthkit-4.4.2.ebuild | 175 -------------------------
 2 files changed, 176 deletions(-)}
Comment 5 Göktürk Yüksek archtester gentoo-dev 2017-11-09 00:00:20 UTC
I've pushed sleuthkit-4.5.0 which fixes all the tree CVEs.
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-09 00:36:09 UTC
(In reply to Göktürk Yüksek from comment #5)
> I've pushed sleuthkit-4.5.0 which fixes all the tree CVEs.

Thank you, could you please confirm if prior versions (especially 4.0.2) are vulnerable? if that's the case please call for stabilization when ready. If not please let us know to reassign whiteboard to reflect the real status.

Thank you
Comment 7 D'juan McDonald (domhnall) 2017-11-09 03:38:34 UTC
@maintainer(s), Please set your keywords, package list and cc arches to start stabilization. Thank you.

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 8 Göktürk Yüksek archtester gentoo-dev 2017-11-27 14:35:17 UTC
Arches, please proceed with the stabilization.

@ChrisADR, I didn't see anything about prior versions in the CVEs. I'll more likely clean the prior versions after this stabilization.
Comment 9 Agostino Sarubbo gentoo-dev 2017-11-29 11:19:32 UTC
amd64 stable
Comment 10 Thomas Deutschmann gentoo-dev Security 2017-11-29 18:55:08 UTC
x86 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-03 22:19:46 UTC
ppc stable
Comment 12 Matt Turner gentoo-dev 2018-04-22 19:17:38 UTC
hppa stable
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-22 20:54:22 UTC
GLSA Vote: No

@maintainer, please clean the vulnerable versions.
Comment 14 Larry the Git Cow gentoo-dev 2018-04-23 21:52:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15edf362028940ec8457c508320f17dbc1ef6a8b

commit 15edf362028940ec8457c508320f17dbc1ef6a8b
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2018-04-23 21:51:26 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2018-04-23 21:52:05 +0000

    app-forensics/sleuthkit: clean up old & vulnerable #629352
    
    Bug: https://bugs.gentoo.org/629352
    Package-Manager: Portage-2.3.27, Repoman-2.3.9

 app-forensics/sleuthkit/Manifest                   |  4 --
 .../files/sleuthkit-3.2.3-tools-shared-libs.patch  | 55 ----------------------
 .../files/sleuthkit-4.0.0-system-sqlite.patch      | 34 -------------
 .../files/sleuthkit-4.1.0-system-sqlite.patch      | 34 -------------
 app-forensics/sleuthkit/sleuthkit-4.0.2.ebuild     | 39 ---------------
 app-forensics/sleuthkit/sleuthkit-4.1.0.ebuild     | 38 ---------------
 app-forensics/sleuthkit/sleuthkit-4.1.2.ebuild     | 38 ---------------
 app-forensics/sleuthkit/sleuthkit-4.1.3.ebuild     | 38 ---------------
 8 files changed, 280 deletions(-)}