Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 717944 (CVE-2019-17455)

Summary: <net-libs/libntlm-1.6: Buffer overflow in tSmbNtlmAuth{Request,Challenge} (CVE-2019-17455)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: maintainer-needed
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
net-libs/libntlm-1.6
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 698100    

Description GLSAMaker/CVETool Bot gentoo-dev 2020-04-17 20:57:48 UTC 
CVE-2019-17455 (https://nvd.nist.gov/vuln/detail/CVE-2019-17455):
  Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequest,
  tSmbNtlmAuthChallenge, and tSmbNtlmAuthResponse read and write operations,
  as demonstrated by a stack-based buffer over-read in buildSmbNtlmAuthRequest
  in smbutil.c for a crafted NTLM request.
Comment 1 Larry the Git Cow gentoo-dev 2020-07-19 00:35:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ddde72881ac2e304d026697e581bc4e621977ad4

commit ddde72881ac2e304d026697e581bc4e621977ad4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-19 00:31:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-19 00:35:27 +0000

    net-libs/libntlm: security bump to 1.6
    
    Bug: https://bugs.gentoo.org/717944
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/libntlm/Manifest           |  1 +
 net-libs/libntlm/libntlm-1.6.ebuild | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 15:20:23 UTC 
arm64 stable
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 15:30:48 UTC 
arm stable
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 17:34:19 UTC 
x86 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 17:34:30 UTC 
ppc stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 17:34:42 UTC 
amd64 stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-20 18:49:41 UTC 
ppc64 stable
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-21 00:40:50 UTC 
sparc stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-25 21:02:13 UTC 
s390 stable
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 18:49:44 UTC 
hppa: ping
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-27 22:56:37 UTC 
GLSA vote: no
Comment 12 Rolf Eike Beer archtester 2020-07-28 21:54:31 UTC 
dropped to ~hppa
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-28 21:55:20 UTC 
Needs cleanup.
Comment 14 Larry the Git Cow gentoo-dev 2020-07-29 00:19:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c4218ab25dcb10fe03a93ae8e889c024783d1d5

commit 6c4218ab25dcb10fe03a93ae8e889c024783d1d5
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-29 00:19:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-29 00:19:37 +0000

    net-libs/libntlm: security cleanup
    
    Bug: https://bugs.gentoo.org/717944
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/libntlm/Manifest           |  1 -
 net-libs/libntlm/libntlm-1.4.ebuild | 14 --------------
 2 files changed, 15 deletions(-)