Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 864442 (CVE-2022-2652)

Summary: <media-video/v4l2loopback-0.12.7: kernel stack memory leak via format string vulnerability
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: quincyf467, titanofold
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-08 17:32:45 UTC

Depending on the way the format strings in the card label are crafted it's possible to leak kernel stack memory. There is also the possibility for DoS due to the v4l2loopback kernel module crashing when providing the card label on request (reproduce e.g. with many %s modifiers in a row).

Unreleased patch:
Comment 1 Larry the Git Cow gentoo-dev 2023-06-21 08:29:55 UTC
The bug has been referenced in the following commit(s):

commit 032d9f3e8f89b760dc4d179a79128ae0490387b7
Author:     Andrew Ammerlaan <>
AuthorDate: 2023-06-21 08:25:15 +0000
Commit:     Andrew Ammerlaan <>
CommitDate: 2023-06-21 08:29:43 +0000

    media-video/v4l2loopback: migrate to linux-mod-r1.eclass, EAPI bump
    This should also fix Bug 843053 (please confirm that it works now)
    Should also fix the open CVE-2022-2652, the mentioned patch is in this release
    Signed-off-by: Andrew Ammerlaan <>

 media-video/v4l2loopback/Manifest                  |  1 +
 .../v4l2loopback/v4l2loopback-0.12.7.ebuild        | 59 ++++++++++++++++++++++
 media-video/v4l2loopback/v4l2loopback-9999.ebuild  | 19 +++----
 3 files changed, 70 insertions(+), 9 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-22 04:34:32 UTC
Thanks! Please stable when ready
Comment 3 Hans de Graaff gentoo-dev Security 2023-10-22 13:55:55 UTC
As far as I can tell this package never had stable versions. Please clean up vulnerable version 0.12.5-r1.
Comment 4 Quincy Fleming 2024-03-23 11:39:11 UTC
Version 0.12.5 was dropped in this commit:

This bug can be closed now.