Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 866401 (CVE-2022-36055)

Summary: <app-admin/helm-3.9.4: DoS via OOM panic
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ulm, williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/helm/helm/security/advisories/GHSA-7hfp-qfw3-5jxh
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-24 20:09:11 UTC 
"Fuzz testing, provided by the CNCF, identified input to functions in the strvals package that can cause an out of memory panic. Out of memory panics cannot be recovered from. Applications that use functions from the strvals package in the Helm SDK can have a Denial of Service attack when they use this package and it panics."

Fix is in 3.9.4, please bump.
Comment 1 Larry the Git Cow gentoo-dev 2022-09-09 17:20:41 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2c41d36a874cba2f7adcc8f0aaa1f317c1ab6ac

commit a2c41d36a874cba2f7adcc8f0aaa1f317c1ab6ac
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-09-09 17:14:51 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-09-09 17:19:31 +0000

    app-admin/helm: add 3.9.4
    
    Bug: https://bugs.gentoo.org/866401
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-admin/helm/Manifest          |  2 ++
 app-admin/helm/helm-3.9.4.ebuild | 41 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-09 17:29:47 UTC 
Thanks! Please stabilize when ready.
Comment 3 Ulrich Müller gentoo-dev 2022-11-29 12:17:41 UTC 
(In reply to John Helmert III from comment #2)
> Thanks! Please stabilize when ready.

3.9.4 is stable since September.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-29 23:00:11 UTC 
(In reply to Ulrich Müller from comment #3)
> (In reply to John Helmert III from comment #2)
> > Thanks! Please stabilize when ready.
> 
> 3.9.4 is stable since September.

Of course, nobody told the bug..
Comment 5 Larry the Git Cow gentoo-dev 2022-11-29 23:10:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3666d2e7ea144e78d67aa7b6d00c19c3fbc95a0

commit c3666d2e7ea144e78d67aa7b6d00c19c3fbc95a0
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-29 23:01:14 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-29 23:09:57 +0000

    app-admin/helm: drop 3.8.1
    
    Bug: https://bugs.gentoo.org/866401
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 app-admin/helm/Manifest          |  2 --
 app-admin/helm/helm-3.8.1.ebuild | 41 ----------------------------------------
 2 files changed, 43 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-30 22:14:49 UTC 
Only DoS, only reachable from reverse dependencies. No GLSA.