Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 786951 (CVE-2021-30218, CVE-2021-30219)

Summary: <dev-util/samurai-1.2-r2: multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: orbea, polynomial-c
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/26386
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-29 19:03:27 UTC 
* CVE-2021-30218

Description:
"samurai 1.2 has a NULL pointer dereference in writefile() in util.c via a crafted build file."

Bug: https://github.com/michaelforney/samurai/issues/67

* CVE-2021-30219

Description:
"samurai 1.2 has a NULL pointer dereference in printstatus() function in build.c via a crafted build file."

Bug: https://github.com/michaelforney/samurai/issues/68
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-29 19:03:58 UTC 
(Patches in the linked bugs.)
Comment 2 Larry the Git Cow gentoo-dev 2021-04-29 19:50:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68b485ff058af6b943ff6633724e3d2ddeb2c7b2

commit 68b485ff058af6b943ff6633724e3d2ddeb2c7b2
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-04-29 19:40:38 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-04-29 19:49:57 +0000

    dev-util/samurai: Security revbump to fix null pointer dereference
    
    Removed old
    
    Bug: https://bugs.gentoo.org/786951
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 .../files/samurai-1.2-null_pointer_fix.patch       | 26 ++++++++++++++++++++++
 .../{samurai-1.2.ebuild => samurai-1.2-r1.ebuild}  |  4 ++++
 2 files changed, 30 insertions(+)
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2021-04-29 19:51:14 UTC 
No stabilization required yet...
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-29 19:55:41 UTC 
thanks poly, all done!
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-13 18:39:58 UTC 
Resurrecting as the patch for CVE-2021-30218 wasn't actually added.

https://github.com/gentoo/gentoo/pull/26386
Comment 6 Larry the Git Cow gentoo-dev 2022-07-15 02:14:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8cc59eb3b6d73b67c17da03342dac6b241451cce

commit 8cc59eb3b6d73b67c17da03342dac6b241451cce
Author:     orbea <orbea@riseup.net>
AuthorDate: 2022-07-13 15:10:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-15 02:13:56 +0000

    dev-util/samurai: Add patch for CVE-2021-30218
    
    Also updates to EAPI 8.
    
    Bug: https://bugs.gentoo.org/786951
    Upstream-Commit: https://github.com/michaelforney/samurai/commit/e84b6d99c85043fa1ba54851ee500540ec206918
    Upstream-Issue: https://github.com/michaelforney/samurai/issues/67
    Signed-off-by: orbea <orbea@riseup.net>
    Closes: https://github.com/gentoo/gentoo/pull/26386
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/samurai-1.2-null_pointer_fix.patch       | 36 +++++++++++++++++++++-
 ...samurai-1.2-r1.ebuild => samurai-1.2-r2.ebuild} |  6 ++--
 dev-util/samurai/samurai-9999.ebuild               |  4 +--
 3 files changed, 40 insertions(+), 6 deletions(-)
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 03:37:26 UTC 
All done, thanks!