Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624462 (CVE-2017-9928, CVE-2017-9929) - <app-arch/lrzip-0.631_p20190619: multiple vulnerabilities (CVE-2017-{9928,9929})
Summary: <app-arch/lrzip-0.631_p20190619: multiple vulnerabilities (CVE-2017-{9928,9929})
Status: RESOLVED FIXED
Alias: CVE-2017-9928, CVE-2017-9929
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-10 14:56 UTC by Aleksandr Wagner (Kivak)
Modified: 2020-05-12 23:31 UTC (History)
1 user (show)

See Also:
Package list:
app-arch/lrzip-0.631_p20190619
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-07-10 14:56:45 UTC 
CVE-2017-9928 (https://nvd.nist.gov/vuln/detail/CVE-2017-9928):

In lrzip a stack buffer overflow was found in the function get_fileinfo in lrzip.c:979, which allows attackers to cause a denial of service via a crafted file.

https://github.com/ckolivas/lrzip/issues/74

CVE-2017-9929 (https://nvd.nist.gov/vuln/detail/CVE-2017-9929)

In lrzip a stack buffer overflow was found in the function get_fileinfo in lrzip.c:1074, which allows attackers to cause a denial of service via a crafted file.

https://github.com/ckolivas/lrzip/issues/75
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-08-10 16:44:20 UTC 
all fixed in master
Comment 2 Larry the Git Cow gentoo-dev 2019-10-26 23:36:01 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5847e32605457f4c68ac4f89bfaa28a9e6cfafd4

commit 5847e32605457f4c68ac4f89bfaa28a9e6cfafd4
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 23:35:49 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 23:35:49 +0000

    app-arch/lrzip: bump to v0.631_p20190619
    
    Bug: https://bugs.gentoo.org/624462
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-arch/lrzip/Manifest                     |  1 +
 app-arch/lrzip/lrzip-0.631_p20190619.ebuild | 50 +++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-27 23:22:20 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-10-28 09:44:06 UTC 
amd64 stable
Comment 5 ernsteiswuerfel archtester 2019-10-31 00:01:40 UTC 
Looking good on ppc.

# cat lrzip-624462.report 
USE tests started on Do 31. Okt 00:08:56 CET 2019

FEATURES=' test' USE='' succeeded for =app-arch/lrzip-0.631_p20190619
USE='-static-libs' succeeded for =app-arch/lrzip-0.631_p20190619
USE='static-libs' succeeded for =app-arch/lrzip-0.631_p20190619
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-01 10:34:45 UTC 
arm stable
Comment 7 ernsteiswuerfel archtester 2019-11-01 16:10:09 UTC 
Looking good on ppc64.

# cat lrzip-624462.report 
USE tests started on Do 31. Okt 18:52:56 CET 2019

FEATURES=' test' USE='' succeeded for =app-arch/lrzip-0.631_p20190619
USE='-static-libs' succeeded for =app-arch/lrzip-0.631_p20190619
USE='static-libs' succeeded for =app-arch/lrzip-0.631_p20190619

revdep tests started on Do 31. Okt 18:58:17 CET 2019

FEATURES=' test' USE='' succeeded for mail-filter/amavisd-new
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2019-11-01 23:25:55 UTC 
ppc/ppc64 stable thanks to ernsteiswuerfel!
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2019-11-07 00:21:54 UTC 
arm64 stable
Comment 10 Rolf Eike Beer archtester 2019-11-11 19:56:32 UTC 
hppa and sparc stable (last arches).
Comment 11 Larry the Git Cow gentoo-dev 2020-03-19 19:09:53 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa1bb661056944dbd337445144911fab166a0e78

commit aa1bb661056944dbd337445144911fab166a0e78
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-03-18 03:09:05 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-19 19:09:18 +0000

    app-arch/lrzip: security cleanup (bug #624462)
    
    Dropping old versions; new fixed version has long since been stabilised.
    
    Bug: https://bugs.gentoo.org/624462
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Closes: https://github.com/gentoo/gentoo/pull/15000
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-arch/lrzip/Manifest              |  2 --
 app-arch/lrzip/lrzip-0.621.ebuild    | 35 ---------------------------------
 app-arch/lrzip/lrzip-0.631-r1.ebuild | 38 ------------------------------------
 3 files changed, 75 deletions(-)
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 19:25:34 UTC 
Tree is clean!
Comment 13 NATTkA bot gentoo-dev 2020-04-06 15:25:56 UTC 
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2020-05-12 23:31:41 UTC 
This issue was resolved and addressed in
 GLSA 202005-01 at https://security.gentoo.org/glsa/202005-01
by GLSA coordinator Thomas Deutschmann (whissi).