Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 768762 (CVE-2021-0308)

Summary: <sys-apps/gptfdisk-1.0.6: Out of bounds write in ReadLogicalParts (CVE-2021-0308)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: polynomial-c
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa+ cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-05 04:06:03 UTC 
Description:
"In ReadLogicalParts of basicmbr.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-8.1, Android-9, Android-10, Android-11, Android-8.0; Android ID: A-158063095."

See https://sourceforge.net/p/gptfdisk/mailman/message/37196701/.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-05 04:06:47 UTC 
I'm not sure how exploitable this is without control over a disk in the first place. So, I'll call it B1 for now, but I think we need to discuss this.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2021-02-14 14:42:30 UTC 
@ maintainer(s): Could you please bump to v1.0.6.1 first (https://sourceforge.net/p/gptfdisk/code/ci/f063fe08e424c99f133df18bf9dce49c851bcb0a/) before stabilize?
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-15 08:40:03 UTC 
ppc64 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-16 19:20:46 UTC 
arm done
Comment 5 Rolf Eike Beer archtester 2021-02-16 20:14:05 UTC 
sparc stable
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-17 01:01:09 UTC 
ppc done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-17 03:55:24 UTC 
amd64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-17 03:56:19 UTC 
arm64 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-17 20:53:26 UTC 
x86 done

all arches done
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-17 21:00:34 UTC 
Please cleanup
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-25 22:43:49 UTC 
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 08:05:50 UTC 
This issue was resolved and addressed in
 GLSA 202105-03 at https://security.gentoo.org/glsa/202105-03
by GLSA coordinator Thomas Deutschmann (whissi).