Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 772272 (CVE-2021-3405)

Summary: <dev-libs/libebml-1.4.2: exploitable heap overflow on 32 bit builds (CVE-2021-3405)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: media-video, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/Matroska-Org/libebml/issues/74
Whiteboard: B1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 882797    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-23 22:02:22 UTC 
CVE-2021-3405:

A flaw was found in libebml before 1.4.2. A heap overflow bug exists in the implementation of EbmlString::ReadData and EbmlUnicodeString::ReadData in libebml.

Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-02-24 16:22:11 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a51938aa0fc53ed5804e6749ecd3db3db489d17

commit 5a51938aa0fc53ed5804e6749ecd3db3db489d17
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-02-24 15:02:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-24 16:21:43 +0000

    dev-libs/libebml: bump to 1.4.2
    
    Bug: https://bugs.gentoo.org/772272
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libebml/Manifest             |  1 +
 dev-libs/libebml/libebml-1.4.2.ebuild | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-24 20:23:48 UTC 
ppc done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-24 20:25:58 UTC 
ppc64 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-24 20:26:49 UTC 
arm done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-24 23:20:33 UTC 
arm64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-25 07:31:38 UTC 
x86 done
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2021-02-25 08:53:03 UTC 
sparc stable
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-25 11:16:43 UTC 
amd64 done

all arches done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-02-25 11:23:07 UTC 
Please cleanup.
Comment 10 Larry the Git Cow gentoo-dev 2021-02-25 12:57:38 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee5c6ba9a4dcb4662c5a7dfe9092ff3378547e54

commit ee5c6ba9a4dcb4662c5a7dfe9092ff3378547e54
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-02-25 12:57:20 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-02-25 12:57:20 +0000

    dev-libs/libebml: Security cleanup
    
    Bug: https://bugs.gentoo.org/772272
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/libebml/Manifest              |  4 ----
 dev-libs/libebml/libebml-1.3.10.ebuild | 20 --------------------
 dev-libs/libebml/libebml-1.3.9.ebuild  | 20 --------------------
 dev-libs/libebml/libebml-1.4.0.ebuild  | 20 --------------------
 dev-libs/libebml/libebml-1.4.1.ebuild  | 22 ----------------------
 5 files changed, 86 deletions(-)
Comment 11 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-25 17:09:51 UTC 
Thank you!
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:23:53 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:32:19 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 17:40:12 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 17:48:22 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2021-07-29 18:04:19 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2021-07-29 18:12:36 UTC 
Package list is empty or all packages have requested keywords.
Comment 18 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 15:47:18 UTC 
Request filed
Comment 19 Larry the Git Cow gentoo-dev 2022-08-14 00:11:56 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2111a6fd84a6c57c50d069870a152079eaa01505

commit 2111a6fd84a6c57c50d069870a152079eaa01505
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 00:09:54 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-14 00:11:45 +0000

    [ GLSA 202208-21 ] libebml: Heap buffer overflow vulnerability
    
    Bug: https://bugs.gentoo.org/772272
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-21.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)