Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 861803 (CVE-2022-2509)

Summary: <net-libs/gnutls-3.7.7: Double free in PKCS7 signature verification
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://gitlab.com/gnutls/gnutls/-/issues/1383
Whiteboard: A3 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 866235    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-07-29 05:11:53 UTC 
From 3.7.7 release notes:
** libgnutls: Fixed double free during verification of pkcs7 signatures.
Reported by Jaak Ristioja (#1383). [GNUTLS-SA-2022-07-07, CVSS: medium][CVE-2022-2509]

https://gitlab.com/gnutls/gnutls/-/issues/1383 isn't made public yet.
Comment 1 Larry the Git Cow gentoo-dev 2022-07-29 05:14:38 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a51aa34ac6e479cdbc4df45461dd5f70bb24d8ff

commit a51aa34ac6e479cdbc4df45461dd5f70bb24d8ff
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-07-29 05:14:21 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-29 05:14:31 +0000

    net-libs/gnutls: add 3.7.7
    
    Bug: https://bugs.gentoo.org/861803
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/gnutls/Manifest            |   2 +
 net-libs/gnutls/gnutls-3.7.7.ebuild | 144 ++++++++++++++++++++++++++++++++++++
 2 files changed, 146 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2023-10-08 08:11:12 UTC 
Ping. Please remove vulnerable version gnutls-3.7.6.
Comment 3 Hans de Graaff gentoo-dev Security 2024-04-05 09:20:31 UTC 
commit 6ebf59f39cd74d9f923e58850ec66b51ab32bfb7
Author: Sam James <sam@gentoo.org>
Date:   Fri Mar 22 05:04:07 2024 +0000

    net-libs/gnutls: drop 3.7.6, 3.7.7