Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 937127 (CVE-2024-40897)

Summary: dev-lang/orc: Stack-based buffer overflow when formatting error messages for certain input files.
Product: Gentoo Security Reporter: Christopher Fore <csfore>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: major CC: gstreamer
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://gstreamer.freedesktop.org/security/sa-2024-0003.html
Whiteboard: C1 [ebuild]
Package list:
Runtime testing required: ---

Description Christopher Fore 2024-08-02 13:44:50 UTC 
CVE-2024-40897:

It is possible for a malicious third party to trigger a buffer overflow and effect code execution with the same privileges as the orc compiler is called with by feeding it with malformed orc source files.

This only affects developers and CI environments using orcc, not users of liborc.


The above is fixed in 0.4.39.