Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 784584 (CVE-2021-3504)

Summary: <app-misc/hivex-1.3.20: DoS vulnerability (CVE-2021-3504)
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://listman.redhat.com/archives/libguestfs/2021-May/msg00013.html
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Thomas Deutschmann gentoo-dev 2021-04-20 21:46:23 UTC
Incoming details.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-21 01:15:00 UTC
Now publicly disclosed.

Description:

"hivex is a library for reading and writing Windows Registry (hive)
files.  Jeremy Galindo, Sr Security Engineer at Datto.com found a flaw
caused by a lack of bounds checking in hivex_open which would cause
hivex to read memory beyond its normal bounds and/or cause the program
to crash."

https://bugzilla.redhat.com/show_bug.cgi?id=1949687
https://listman.redhat.com/archives/libguestfs/2021-May/msg00013.html

Patch in 1.3.20: https://github.com/libguestfs/hivex/commit/8f1935733b10d974a1a4176d38dd151ed98cf381
Comment 2 Larry the Git Cow gentoo-dev 2021-06-07 23:27:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a69af54f09f3f929f87140cd4c239aca323748d

commit 0a69af54f09f3f929f87140cd4c239aca323748d
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-06-07 23:25:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-06-07 23:27:11 +0000

    app-misc/hivex: add 1.3.20
    
    Bug: https://bugs.gentoo.org/784584
    Closes: https://bugs.gentoo.org/682238
    Closes: https://bugs.gentoo.org/692528
    Signed-off-by: Sam James <sam@gentoo.org>

 app-misc/hivex/Manifest            |   1 +
 app-misc/hivex/hivex-1.3.20.ebuild | 119 +++++++++++++++++++++++++++++++++++++
 2 files changed, 120 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2021-07-12 19:29:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fb37672ae1310f4a3721b46e8e838ea2917f5b0

commit 6fb37672ae1310f4a3721b46e8e838ea2917f5b0
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-07-12 19:28:54 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-07-12 19:29:06 +0000

    app-misc/hivex: drop 1.3.18
    
    Bug: https://bugs.gentoo.org/784584
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 app-misc/hivex/Manifest            |   1 -
 app-misc/hivex/hivex-1.3.18.ebuild | 113 -------------------------------------
 2 files changed, 114 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-12 19:30:27 UTC
All unstable, tree clean, all done.