Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 574408 (CVE-2014-9765) - <dev-util/xdelta-3.0.10: buffer overflow
Summary: <dev-util/xdelta-3.0.10: buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2014-9765
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-11 10:38 UTC by Agostino Sarubbo
Modified: 2017-01-18 08:47 UTC (History)
1 user (show)

See Also:
Package list:
=dev-util/xdelta-3.0.11
Runtime testing required: No
kensington: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-02-11 10:38:57 UTC 
From ${URL} :

Buffer overflow was found and fixed in xdelta3 binary diff tool that
allows arbitrary code execution from input files at least on some
systems.

This appears to be fixed in xdelta3 3.0.9 and later via
https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-02-11 14:41:37 UTC 
Please stabilize it.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-25 00:31:30 UTC 
First version containing the fix which hit the repository was =dev-util/xdelta-3.0.10. Slot 3 current stable version is =dev-util/xdelta-3.1.0.

New GLSA created.


@ Maintainer(s): Please cleanup <dev-util/xdelta-3.0.10.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-25 02:11:23 UTC 
Wait, I missed that mgorny committed directly into stable with a mask.

So following maintainer comment #1 and calling for stable:


@ Arches,

please test and mark stable: =dev-util/xdelta-3.0.11
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2016-11-25 07:56:52 UTC 
(In reply to Thomas Deutschmann from comment #3)
> Wait, I missed that mgorny committed directly into stable with a mask.

Yeah, sorry about that, repoman didn't catch it. Fixed now.
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2016-11-25 12:32:12 UTC 
Stable on alpha.
Comment 6 Agostino Sarubbo gentoo-dev 2016-11-25 18:30:00 UTC 
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-25 18:56:47 UTC 
x86 stable
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2017-01-01 09:13:45 UTC 
readded alpha as the arch was not marked stable.
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-03 10:40:55 UTC 
ppc64 stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-05 12:36:46 UTC 
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-11 10:39:42 UTC 
sparc stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 11:44:53 UTC 
Stable for HPPA.
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-15 15:52:28 UTC 
ppc stable
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2017-01-17 03:41:42 UTC 
This issue was resolved and addressed in
 GLSA 201701-40 at https://security.gentoo.org/glsa/201701-40
by GLSA coordinator Aaron Bauman (b-man).
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2017-01-17 03:45:22 UTC 
Pending stable on ia64 (not security supported) and then we can cleanup the vulnerable ebuilds.
Comment 16 Agostino Sarubbo gentoo-dev 2017-01-17 14:27:41 UTC 
ia64 stable.

Maintainer(s), please cleanup.