Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 652686 (CVE-2018-1000097)

Summary: <app-arch/sharutils-4.15.2-r1: Buffer overflow
Product: Gentoo Security Reporter: Ian Zimmerman <nobrowser>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, cray
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://security-tracker.debian.org/tracker/CVE-2018-1000097
Whiteboard: A4 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 674126    
Bug Blocks:    
Attachments:
Description Flags
Fix CVE-2018-1000097, heap buffer overflow in unshar none

Description Ian Zimmerman 2018-04-06 15:53:23 UTC 
According to the summary at $URL:

Sharutils sharutils (unshar command) version 4.15.2 contains a Buffer Overflow vulnerability in Affected component on the file unshar.c at line 75, function looks_like_c_code. Failure to perform checking of the buffer containing input line. that can result in Could lead to code execution. This attack appear to be exploitable via Victim have to run unshar command on a specially crafted file..


Reproducible: Always
Comment 1 Juan Carlos Perez 2018-12-28 11:43:36 UTC 
Created attachment 558684 [details, diff]
Fix CVE-2018-1000097, heap buffer overflow in unshar

From: Petr Pisar
Subject: Fix CVE-2018-1000097, heap buffer overflow in unshar
Bug-Debian: https://bugs.debian.org/893525
X-Debian-version: 1:4.15.2-3
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-03-12 06:49:01 UTC 
This got lost in bugzilla due to no base-system cc, or classification. Re-surfacing!
Comment 3 Larry the Git Cow gentoo-dev 2019-03-13 12:03:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=648bdf9134d87d5d6ca086b742964b77c3da87d8

commit 648bdf9134d87d5d6ca086b742964b77c3da87d8
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-03-13 12:02:46 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-03-13 12:02:46 +0000

    app-arch/sharutils: Add patch for CVE-2018-1000097
    
    Bug: https://bugs.gentoo.org/652686
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 .../files/sharutils-4.15.2-CVE-2018-1000097.patch        | 16 ++++++++++++++++
 ...harutils-4.15.2.ebuild => sharutils-4.15.2-r1.ebuild} |  1 +
 2 files changed, 17 insertions(+)
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2019-03-13 12:05:10 UTC 
Let's stabilize this together with glibc in bug 674126
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-05-02 22:43:31 UTC 
Please drop vulnerable