Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 490990 (CVE-2014-9273) - <app-misc/hivex-1.3.11: DOS when accessing invalid registry hives (CVE-2014-9273)
Summary: <app-misc/hivex-1.3.11: DOS when accessing invalid registry hives (CVE-2014-9...
Status: RESOLVED FIXED
Alias: CVE-2014-9273
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2014/q4/787
Whiteboard: C2 [glsa]
Keywords:
: 530734 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-11-11 06:00 UTC by Anton Bolshakov
Modified: 2015-03-14 18:27 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Anton Bolshakov 2013-11-11 06:00:35 UTC
the new version is available from:

http://libguestfs.org/download/hivex/
https://github.com/libguestfs/hivex/releases
Comment 1 Yixun Lan gentoo-dev 2014-07-21 02:22:59 UTC
need to convert python eclass to python-r1 [1]
also python-2.6 is deprecated, and is removed from portage tree

[1] http://wiki.gentoo.org/wiki/Python-r1
http://wiki.gentoo.org/wiki/Project:Python/Eclasses
Comment 2 Andreis Vinogradovs ( slepnoga ) 2014-11-25 08:22:59 UTC
first test ebuild ( temporarily to the old еclass )
https://code.google.com/p/rion-overlay/source/browse/app-misc/hivex/hivex-1.3.11.ebuild
Comment 3 Hanno Böck gentoo-dev 2014-11-26 14:06:32 UTC
Please note that this is a security update:
http://seclists.org/oss-sec/2014/q4/787
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2014-11-27 05:45:59 UTC
hanno, thank you setting this as a security bug, and whiteboard.

CVS Request as per URL provided for OSS.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2014-11-27 06:26:29 UTC
*** Bug 530734 has been marked as a duplicate of this bug. ***
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2014-11-27 06:29:03 UTC
Adding URL:
https://bugzilla.redhat.com/show_bug.cgi?id=1167756
Comment 7 Andreis Vinogradovs ( slepnoga ) 2014-12-05 19:20:09 UTC
app-misc/hivex-1.3.11 in tree
Comment 8 Yury German Gentoo Infrastructure gentoo-dev Security 2014-12-07 18:40:05 UTC
Maintainer(s): Please let us know when the ebuild is ready for  stabilization, or call for stabilization.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2014-12-28 13:33:09 UTC
CVE-2014-9273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9273):
  lib/handle.c in Hivex before 1.3.11 allows local users to execute arbitrary
  code and gain privileges via a small hive files, which triggers an
  out-of-bounds read or write.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev Security 2015-01-07 00:01:05 UTC
It has been 30 days in the tree so far no objections from maintainer. Calling for stabilization.

Arches, please test and mark stable:

=app-misc/hivex-1.3.11

Target Keywords : "amd64"

Thank you!
Comment 11 Agostino Sarubbo gentoo-dev 2015-01-09 08:33:40 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2015-01-15 23:13:28 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 13 Sergey Popov gentoo-dev 2015-02-19 07:41:31 UTC
Cleanup is done
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2015-03-14 18:27:19 UTC
This issue was resolved and addressed in
 GLSA 201503-07 at https://security.gentoo.org/glsa/201503-07
by GLSA coordinator Kristian Fiskerstrand (K_F).