Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 638434 (CVE-2017-10140)

Summary: sys-libs/db: Berkeley DB reads DB_CONFIG from the current working directory
Product: Gentoo Security Reporter: Eddie Chapman <maracay>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: ajak, base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1464032
Whiteboard: A4 [upstream/ebuild cve]
Package list:
Runtime testing required: ---

Description Eddie Chapman 2017-11-22 08:03:19 UTC 
Berkeley DB reads the DB_CONFIG configuration file from the current working directory.

Upstream has not released a fix yet, but Ubuntu have just released updated packages using a patch that Fedora is also using, and which upstream has apparently endorsed (see RedHat BZ comments). So I suggest Gentoo do the same?

References:
http://seclists.org/oss-sec/2017/q2/452
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10140.html
https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch
https://bugzilla.redhat.com/show_bug.cgi?id=1464032#c9
Comment 1 Eddie Chapman 2017-11-22 08:43:13 UTC 
Just tested the Fedora patch (added an epatch line to the latest stable db-5.3.28-r2.ebuild) and saw that it was applied, which it did without error, and it built and installed fine. Haven't tested other versions.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-22 16:33:49 UTC 
(In reply to Eddie Chapman from comment #1)

Thanks for the report Eddie, CCing maintainers to let them know about this.

@Maintainers please confirm if we are affected,
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2017-11-22 19:10:44 UTC 
Looks ok, but I'm worried about subtle breakage by consumers. I need to check if DB_HOME is set in those cases (openldap berkdb mostly).
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-22 19:16:05 UTC 
(In reply to Robin Johnson from comment #3)
> Looks ok, but I'm worried about subtle breakage by consumers. I need to
> check if DB_HOME is set in those cases (openldap berkdb mostly).

Thanks, please call for stabilization when a fixed version is available.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-14 00:36:10 UTC 
Maintainer(s): Ping.