Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 901089 (CVE-2022-40320)

Summary: <dev-libs/confuse-3.3-r2: Heap buffer overflow
Product: Gentoo Security Reporter: Vaibhav Rustagi <vaibhavrustagi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: major CC: maintainer-needed, vaibhavrustagi
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B3 [glsa? cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 904536    
Bug Blocks:    

Description Vaibhav Rustagi 2023-03-13 21:45:58 UTC
CVE-2022-40320: cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read.
Comment 1 Vaibhav Rustagi 2023-03-13 21:49:00 UTC
Created a PR:
Comment 2 Larry the Git Cow gentoo-dev 2023-03-13 23:27:18 UTC
The bug has been referenced in the following commit(s):

commit 5dce806e4b3a04419f125938501990818739bbb8
Author:     Vaibhav Rustagi <>
AuthorDate: 2023-03-13 21:33:11 +0000
Commit:     Sam James <>
CommitDate: 2023-03-13 23:27:02 +0000

    dev-libs/confuse: Add fix for CVE-2022-40320
    The source of libconfuse package didn't make a release since Jun 24,
    2020 ( Therefore, to fix the
    CVE add a patch.
    [sam: adjust patch metadata, drop back to ~arch.]
    Signed-off-by: Vaibhav Rustagi <>
    Signed-off-by: Sam James <>

 dev-libs/confuse/confuse-3.3-r2.ebuild             | 62 ++++++++++++++++++++++
 .../files/confuse-3.3-fix-CVE-2022-40320.patch     | 39 ++++++++++++++
 2 files changed, 101 insertions(+)