Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 766009

Summary: <dev-python/Levenshtein-0.12.1: Possible remote code execution
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: python
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa?]
Package list:
dev-python/python-levenshtein-0.12.1
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-18 15:33:16 UTC
"0.12.1
------

* Fixed handling of numerous possible wraparounds in calculating the size
  of memory allocations; incorrect handling of which could cause denial
  of service or even possible remote code execution in previous versions
  of the library."
Comment 1 Larry the Git Cow gentoo-dev 2021-01-18 15:34:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c856599b527a6710e1a47d36719604d7b38554e8

commit c856599b527a6710e1a47d36719604d7b38554e8
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-01-18 15:34:25 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-01-18 15:34:31 +0000

    dev-python/python-levenshtein: (security) bump to 0.12.1
    
    Bug: https://bugs.gentoo.org/766009
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-python/python-levenshtein/Manifest             |  1 +
 .../python-levenshtein-0.12.1.ebuild               | 24 ++++++++++++++++++++++
 2 files changed, 25 insertions(+)
Comment 2 Agostino Sarubbo gentoo-dev 2021-01-22 16:54:45 UTC
amd64 stable
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-22 18:43:10 UTC
arm64 done
Comment 4 Agostino Sarubbo gentoo-dev 2021-01-24 12:12:00 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 6 NATTkA bot gentoo-dev 2021-10-17 19:28:56 UTC
Unable to check for sanity:

> no match for package: dev-python/python-levenshtein-0.12.1