Summary: | app-arch/lrzip: invalid memory read in lzo1x_decompress | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | D'juan McDonald (domhnall) <flopwiki> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | minor | CC: | ajak, gentoo.qxrin, maintainer-needed |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/ckolivas/lrzip/issues/108 | ||
Whiteboard: | B3 [upstream cve] | ||
Package list: | Runtime testing required: | --- |
Description
D'juan McDonald (domhnall)
2019-04-01 18:37:47 UTC
looks to be an imcomplete fix: https://github.com/ckolivas/lrzip/issues/108 Maintainer suggests using a PR: https://github.com/ckolivas/lrzip/issues/108#issuecomment-584319910 This PR is closed and its functionality is said to be implemented in another PR, without linking it. I can't find such a PR and I can't see the commit in master. I have no idea if this bug was fixed elsewhere as I couldn't reproduce it but there appears to be more security fixes in the commit log so it would be prudent to add another snapshot. (In reply to John Helmert III from comment #2) > Maintainer suggests using a PR: > > https://github.com/ckolivas/lrzip/issues/108#issuecomment-584319910 Oops, that might not be the maintainer. They seem to maintain a fork that they recommend: https://github.com/ckolivas/lrzip/pull/140#issuecomment-869879318 https://github.com/pete4abw/lrzip-next |