Bug 772317 (CVE-2021-3410)

Summary:	<media-libs/libcaca-0.99_beta19-r4: buffer overflow vulnerability (CVE-2021-3410)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	bircoph, media-video, sam
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/cacalabs/libcaca/issues/52
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=792339
Whiteboard:	B2 [glsa+]
Package list:	media-libs/libcaca-0.99_beta19-r4	Runtime testing required:	---

Description John Helmert III archtester

2021-02-24 03:43:28 UTC

CVE-2021-3410:

A flaw was found in libcaca v0.99.beta19. A buffer overflow issue in caca_resize function in libcaca/caca/canvas.c may lead to local execution of arbitrary code in the user context.


Looks like no fix upstream yet.

Comment 1 Sam James archtester

2021-02-27 15:14:18 UTC

Fixed in https://github.com/cacalabs/libcaca/commit/e4968ba6e93e9fd35429eb16895c785c51072015?

Comment 2 Andreas Sturmlechner gentoo-dev

2021-03-01 00:25:00 UTC

opensuse applies quite a number of more patches than us over that code:

https://build.opensuse.org/package/show/multimedia:libs/libcaca

Comment 3 Larry the Git Cow gentoo-dev

2021-05-22 11:39:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9e49df2222085dded48b58473bc2fd6347f8352f

commit 9e49df2222085dded48b58473bc2fd6347f8352f
Author:     Andrew Savchenko <bircoph@gentoo.org>
AuthorDate: 2021-05-22 11:36:04 +0000
Commit:     Andrew Savchenko <bircoph@gentoo.org>
CommitDate: 2021-05-22 11:39:14 +0000

    media-libs/libcaca: fix multiple CVEs and docs build failure
    
    CVE fixed (using Debian patchset):
    CVE-2018-20544, CVE-2018-20545, CVE-2018-20546,
    CVE-2018-20547, CVE-2018-20549, CVE-2021-3410.
    
    Fix docs build failure (doxygen and latex issues) using both Debian
    patch and patch from bug 543870#c11.
    
    Install docs into proper path.
    
    Bug: https://bugs.gentoo.org/543870
    Bug: https://bugs.gentoo.org/772317
    Package-Manager: Portage-3.0.18, Repoman-3.0.3
    Signed-off-by: Andrew Savchenko <bircoph@gentoo.org>

 media-libs/libcaca/files/100_doxygen.diff          | 170 +++++++++++++++++++
 media-libs/libcaca/files/CVE-2018-20544.patch      |  45 +++++
 .../libcaca/files/CVE-2018-20545+20547+20549.patch |  34 ++++
 .../libcaca/files/CVE-2018-20546+20547.patch       |  36 ++++
 ...em-in-the-caca_resize-overflow-detection-.patch | 135 +++++++++++++++
 ...as-fix-an-integer-overflow-in-caca_resize.patch | 141 ++++++++++++++++
 media-libs/libcaca/files/fix-css-path.patch        |  12 ++
 media-libs/libcaca/libcaca-0.99_beta19-r4.ebuild   | 182 +++++++++++++++++++++
 8 files changed, 755 insertions(+)

Comment 4 Andrew Savchenko gentoo-dev

2021-05-22 11:42:33 UTC

Security team, please note that multiple CVEs are present prior to -r4.

Also while I helped with current problem, I'm not a maintainer of this packages, so proceed with stabilization on your own or with @media-video team.

Comment 5 John Helmert III archtester

2021-05-25 02:48:25 UTC

Thanks!

Comment 6 Sam James archtester

2021-05-25 16:54:43 UTC

ppc64 done

Comment 7 Agostino Sarubbo gentoo-dev

2021-05-25 18:58:21 UTC

amd64 stable

Comment 8 Agostino Sarubbo gentoo-dev

2021-05-25 19:10:34 UTC

x86 stable

Comment 9 Sam James archtester

2021-05-27 19:22:26 UTC

ppc done

Comment 10 Sam James archtester

2021-05-28 00:28:45 UTC

arm done

Comment 11 Rolf Eike Beer archtester

2021-05-28 15:46:11 UTC

sparc done

Comment 12 Sam James archtester

2021-06-03 22:52:01 UTC

arm64 done

all arches done

Comment 13 John Helmert III archtester

2021-06-04 02:12:12 UTC

Please cleanup.

Comment 14 NATTkA bot gentoo-dev

2021-06-18 14:36:32 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: media-libs/libcaca-0.99_beta19-r4

Comment 15 Larry the Git Cow gentoo-dev

2021-06-18 14:56:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a17a038ba653cf52039460cf79adca71ef4a2326

commit a17a038ba653cf52039460cf79adca71ef4a2326
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-18 14:55:58 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-18 14:56:11 +0000

    media-libs/libcaca: drop 0.99_beta19-r5, 0.99_beta19-r6
    
    Bug: https://bugs.gentoo.org/772317
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/libcaca/libcaca-0.99_beta19-r5.ebuild | 151 --------------------
 media-libs/libcaca/libcaca-0.99_beta19-r6.ebuild | 173 -----------------------
 2 files changed, 324 deletions(-)

Comment 16 NATTkA bot gentoo-dev

2021-06-18 15:12:29 UTC

Unable to check for sanity:

> no match for package: media-libs/libcaca-0.99_beta19-r4

Comment 17 Larry the Git Cow gentoo-dev

2024-02-18 10:22:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=93b7e0381c6c02b0f3ba93252ac9f9b72c94107a

commit 93b7e0381c6c02b0f3ba93252ac9f9b72c94107a
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-18 10:22:11 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-02-18 10:22:34 +0000

    [ GLSA 202402-19 ] libcaca: Arbitary Code Execution
    
    Bug: https://bugs.gentoo.org/772317
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202402-19.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)