Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 834456 (CVE-2022-26291, CVE-2022-28044)

Summary: <app-arch/lrzip-0.650: Multiple vulnerabilities
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: minor CC: filip.ambroz, maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa? cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 836957    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-02 02:30:58 UTC
Upstream's release notes/blog post [0] note that some of the fixes in this release may have security implications:

"A number of accumulated bug reports had collected since the last lrzip release and since I regularly use lrzip I want to make sure it stays bug free as far as I am aware, even if I'm not planning any new features for it. As some of the changes are potentially security fixes, I urge any user to update."

[0] https://ck-hack.blogspot.com/2022/02/lrzip-version-0650.html
Comment 1 Larry the Git Cow gentoo-dev 2022-03-02 02:31:21 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61c003d081de7195408fb32386a7afdf4ec8b5b2

commit 61c003d081de7195408fb32386a7afdf4ec8b5b2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-03-02 02:29:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-02 02:31:03 +0000

    app-arch/lrzip: add 0.650
    
    Bug: https://bugs.gentoo.org/834456
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/lrzip/Manifest           |  1 +
 app-arch/lrzip/lrzip-0.650.ebuild | 51 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
Comment 2 Joe Kappus 2022-03-08 23:58:50 UTC
Con just released 0.651: https://ck-hack.blogspot.com/2022/03/lrzip-version-0651.html
Comment 3 Larry the Git Cow gentoo-dev 2022-03-11 11:01:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9923950a8fb3c067c6102f7175b94ecc1cbbdfaf

commit 9923950a8fb3c067c6102f7175b94ecc1cbbdfaf
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-03-11 09:19:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-11 11:00:55 +0000

    app-arch/lrzip: add 0.651
    
    Not thought to fix any further vulnerabilities but it's a better
    stable candidate.
    
    Bug: https://bugs.gentoo.org/834456
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/lrzip/Manifest           |  1 +
 app-arch/lrzip/lrzip-0.651.ebuild | 51 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-29 09:15:18 UTC
*** Bug 836350 has been marked as a duplicate of this bug. ***
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-14 16:56:20 UTC
Please cleanup
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-16 05:03:35 UTC
CVE-2022-28044 (https://github.com/ckolivas/lrzip/issues/216):

Irzip v0.640 was discovered to contain a heap memory corruption via the component lrzip.c:initialise_control.