Summary: | <dev-libs/confuse-3.3-r2: Heap buffer overflow | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Vaibhav Rustagi <vaibhavrustagi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | IN_PROGRESS --- | ||
Severity: | major | CC: | arkamar, maintainer-needed, vaibhavrustagi |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/gentoo/pull/30104 https://github.com/libconfuse/libconfuse/issues/163 |
||
Whiteboard: | B3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 904536 | ||
Bug Blocks: |
Description
Vaibhav Rustagi
2023-03-13 21:45:58 UTC
Created a PR: https://github.com/gentoo/gentoo/pull/30104 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5dce806e4b3a04419f125938501990818739bbb8 commit 5dce806e4b3a04419f125938501990818739bbb8 Author: Vaibhav Rustagi <vaibhavrustagi@google.com> AuthorDate: 2023-03-13 21:33:11 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-03-13 23:27:02 +0000 dev-libs/confuse: Add fix for CVE-2022-40320 The source of libconfuse package didn't make a release since Jun 24, 2020 (https://github.com/libconfuse/libconfuse). Therefore, to fix the CVE add a patch. [sam: adjust patch metadata, drop back to ~arch.] Bug: https://bugs.gentoo.org/901089 Signed-off-by: Vaibhav Rustagi <vaibhavrustagi@google.com> Closes: https://github.com/gentoo/gentoo/pull/30104 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/confuse/confuse-3.3-r2.ebuild | 62 ++++++++++++++++++++++ .../files/confuse-3.3-fix-CVE-2022-40320.patch | 39 ++++++++++++++ 2 files changed, 101 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0859f1f4d6a63e0d2257020ea7b31e4a0a881d0e commit 0859f1f4d6a63e0d2257020ea7b31e4a0a881d0e Author: Petr Vaněk <arkamar@gentoo.org> AuthorDate: 2024-09-10 20:46:53 +0000 Commit: Petr Vaněk <arkamar@gentoo.org> CommitDate: 2024-09-10 20:48:26 +0000 dev-libs/confuse: drop 3.3, 3.3-r1 Bug: https://bugs.gentoo.org/901089 Signed-off-by: Petr Vaněk <arkamar@gentoo.org> dev-libs/confuse/confuse-3.3-r1.ebuild | 56 ---------------------------------- dev-libs/confuse/confuse-3.3.ebuild | 53 -------------------------------- 2 files changed, 109 deletions(-) |