Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 714944

Summary: app-editors/zile: Possible multiple vulnerabilities due to embedded gnulib (CVE-2017-7476, CVE-2018-17942)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal CC: emacs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 714934    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 22:59:33 UTC 
It is suspected that this package is vulnerable to a security vulnerability in gnulib. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 714934:
*  CVE-2017-7476 - "Gnulib before 2017-04-26 has a heap-based buffer overflow with the TZ environment variable. The error is in the save_abbr function in time_rz.c."

** Patch: https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=94e01571507835ff59dd8ce2a0b56a4b566965a4

* CVE-2018-17942 - "The convert_to_decimal function in vasnprintf.c in Gnulib before 2018-09-23 has a heap-based buffer overflow because memory is not allocated for a trailing '\0' character during %f processing."

** Patch: https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=278b4175c9d7dd47c1a3071554aac02add3b3c35

If neither of these functions are used and haven't been in the past, you should be fine.

Please check if possible whether any embedded gnulib has now, or in the past (for GLSA purposes/cleanup if still in tree) contained in this version.
Comment 1 Ulrich Müller gentoo-dev 2020-03-27 06:11:08 UTC 
The TZ code doesn't exist:

zile-2.4.14 $ find -name time_rz.c
zile-2.4.14 $ grep -r save_abbr
zile-2.4.14 $ 

As for convert_to_decimal(), that code exists in lib/vasnprintf.c but is inside a big (NEED_PRINTF_LONG_DOUBLE || NEED_PRINTF_DOUBLE) preprocessor conditional in lines 329 to 1529, so it isn't compiled in:

zile-2.4.14 $ grep -E 'NEED_PRINTF(_LONG)?_DOUBLE' config.h
/* #undef NEED_PRINTF_DOUBLE */
/* #undef NEED_PRINTF_LONG_DOUBLE */

Double checking, the symbol isn't in the binary:
$ nm -a src/zile | grep convert_to_decimal

So looks like a false positive.