Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 925725 (CVE-2024-22857)

Summary: dev-libs/zlog: heap overflow RCE
Product: Gentoo Security Reporter: Hank Leininger <hlein>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: trivial CC: ajak, maintainer-needed
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/HardySimpson/zlog/issues/250
See Also: https://bugs.gentoo.org/show_bug.cgi?id=925342
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description Hank Leininger 2024-02-28 17:17:06 UTC 
Full details not released yet, but a heap overflow leading to RCE has been reported in zlog up through the latest release, 1.2.17 (::gentoo has only 1.2.15). Upstream has not responded to private attempts for several months prior to the issue going public. CVE-2024-22857 has been reserved but not published yet at time of writing.

This is distinct from https://bugs.gentoo.org/837518 for which a fix exists but dev-libs/zlog was never bumped.

dev-libs/zlog has already started last-rites here: https://bugs.gentoo.org/925342
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-03-01 05:17:42 UTC 
Thanks for reporting!
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2024-03-29 14:53:19 UTC 
Package removed.