Bug 799788 (CVE-2020-36403)

Summary:	<sci-libs/htslib-1.13: OOB write (CVE-2020-36403)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	sci-biology
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24097
Whiteboard:	~3 [noglsa]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-07-02 01:38:31 UTC

CVE-2020-36403:

HTSlib 1.10 through 1.10.2 allows out-of-bounds write access in vcf_parse_format (called from vcf_parse and vcf_read).

Patch in >=1.11: https://github.com/samtools/htslib/commit/dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c

Please bump.

Comment 1 NATTkA bot gentoo-dev

2021-07-29 17:21:12 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 2 NATTkA bot gentoo-dev

2021-07-29 17:29:20 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 3 NATTkA bot gentoo-dev

2021-07-29 17:37:17 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 4 NATTkA bot gentoo-dev

2021-07-29 17:45:23 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 5 NATTkA bot gentoo-dev

2021-07-29 17:53:28 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 6 NATTkA bot gentoo-dev

2021-07-29 18:01:21 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 18:09:44 UTC

Package list is empty or all packages have requested keywords.

Comment 8 Larry the Git Cow gentoo-dev

2021-10-03 17:41:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7e45d492762de669f6e84b5df12aaf95cae1a1d

commit a7e45d492762de669f6e84b5df12aaf95cae1a1d
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2021-10-03 17:41:36 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2021-10-03 17:41:36 +0000

    sci-libs/htslib: add 1.13
    
    Bug: https://bugs.gentoo.org/799788
    Signed-off-by: David Seifert <soap@gentoo.org>

 sci-libs/htslib/Manifest           |  1 +
 sci-libs/htslib/htslib-1.13.ebuild | 52 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)

Comment 9 John Helmert III archtester

2021-10-03 20:24:10 UTC

Please cleanup

Comment 10 Larry the Git Cow gentoo-dev

2021-10-11 14:55:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fac85a0681906115f21e878305e44c0243e0c686

commit fac85a0681906115f21e878305e44c0243e0c686
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2021-10-11 14:55:11 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2021-10-11 14:55:11 +0000

    sci-libs/htslib: drop 1.10.2
    
    Bug: https://bugs.gentoo.org/799788
    Signed-off-by: David Seifert <soap@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/22556
    Signed-off-by: David Seifert <soap@gentoo.org>

 sci-libs/htslib/Manifest             |  1 -
 sci-libs/htslib/htslib-1.10.2.ebuild | 51 ------------------------------------
 2 files changed, 52 deletions(-)

Comment 11 John Helmert III archtester

2021-10-11 15:23:14 UTC

Thanks Soap!