Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 919157 (CVE-2023-39976)

Summary: <sys-cluster/libqb-2.0.8: buffer overflow via long log messages
Product: Gentoo Security Reporter: Allen Webb <allenwebb>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal CC: ajak, allenwebb, cluster
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/ClusterLabs/libqb/pull/490
See Also: https://github.com/gentoo/gentoo/pull/36368
Whiteboard: B2 [stable?]
Package list:
Runtime testing required: ---

Description Allen Webb 2023-12-04 16:38:37 UTC 
From the NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-39976

```
log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered.
```

Reproducible: Always
Comment 1 Hans de Graaff gentoo-dev Security 2023-12-05 07:22:19 UTC 
Looks like this is fixed in 2.0.8: https://github.com/ClusterLabs/libqb/releases/tag/v2.0.8
Comment 2 Allen Webb 2024-01-10 13:44:06 UTC 
On ChromeOS we have moved to libqqb 2.0.8 with the same ebuild as 2.0.4 with just a name change and the newer source archive + digests.

https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/5177738
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-12 01:52:29 UTC 
(In reply to Allen Webb from comment #2)
> On ChromeOS we have moved to libqqb 2.0.8 with the same ebuild as 2.0.4 with
> just a name change and the newer source archive + digests.
> 
> https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-
> overlay/+/5177738

Care to make a PR? :)
Comment 4 Larry the Git Cow gentoo-dev 2024-05-03 11:55:04 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b77e756584b035aedf67e85070e578e245e05ea

commit 6b77e756584b035aedf67e85070e578e245e05ea
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-04-22 23:30:35 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-05-03 11:53:39 +0000

    sys-cluster/libqb: add 2.0.8, security bump
    
    - Bump EAPI 7 -> 8
    - Tests pass
    
    Bug: https://bugs.gentoo.org/919157
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/36368
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-cluster/libqb/Manifest           |  1 +
 sys-cluster/libqb/libqb-2.0.8.ebuild | 68 ++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)