Summary: | <dev-util/cflow-1.7: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | maintainer-needed |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Sam James
2020-03-01 17:56:53 UTC
Package has no stable ebuild. Also, crash in CLI tool, no real security impact. CVE-2019-16166 (https://nvd.nist.gov/vuln/detail/CVE-2019-16166): GNU cflow through 1.6 has a heap-based buffer over-read in the nexttoken function in parser.c. CVE-2019-16165 (https://nvd.nist.gov/vuln/detail/CVE-2019-16165): GNU cflow through 1.6 has a use-after-free in the reference function in parser.c. Changelog for 1.7 says it fixes these. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d89d0c81148fbcc32c51d084713bd5e731c418f commit 3d89d0c81148fbcc32c51d084713bd5e731c418f Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2021-12-30 17:51:18 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-12-30 17:52:31 +0000 dev-util/cflow: add 1.7 Bug: https://bugs.gentoo.org/711196 Signed-off-by: John Helmert III <ajak@gentoo.org> dev-util/cflow/Manifest | 1 + dev-util/cflow/cflow-1.7.ebuild | 56 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) Tree is clean: commit df6cc9977c4576a3f1efb70c7958dcb4f37e1a2e Author: Sam James <sam@gentoo.org> Date: Sun Apr 17 19:53:06 2022 +0100 dev-util/cflow: drop 1.6 Signed-off-by: Sam James <sam@gentoo.org> |