Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 629352 (CVE-2017-13755, CVE-2017-13756, CVE-2017-13760) - <app-forensics/sleuthkit-4.5.0: multiple vulnerabilities
Summary: <app-forensics/sleuthkit-4.5.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-13755, CVE-2017-13756, CVE-2017-13760
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/sleuthkit/sleuthki...
Whiteboard: B3 [noglsa cve]
Keywords:
: 635232 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-08-30 07:59 UTC by Agostino Sarubbo
Modified: 2018-04-23 22:20 UTC (History)
2 users (show)

See Also:
Package list:
=app-forensics/sleuthkit-4.5.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-08-30 07:59:07 UTC
CVE-2017-13760 (https://nvd.nist.gov/vuln/detail/CVE-2017-13760):

In The Sleuth Kit (TSK) 4.4.2, fls hangs on a corrupt exfat image in tsk_img_read() in tsk/img/img_io.c in libtskimg.a.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Agostino Sarubbo gentoo-dev 2017-08-30 08:01:53 UTC
CVE-2017-13756:
In The Sleuth Kit (TSK) 4.4.2, opening a crafted disk image triggers infinite recursion in dos_load_ext_table() in tsk/vs/dos.c in libtskvs.a, as demonstrated by mmls.

CVE-2017-13755:
In The Sleuth Kit (TSK) 4.4.2, opening a crafted ISO 9660 image triggers an out-of-bounds read in iso9660_proc_dir() in tsk/fs/iso9660_dent.c in libtskfs.a, as demonstrated by fls.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-23 22:51:26 UTC
*** Bug 635232 has been marked as a duplicate of this bug. ***
Comment 3 Göktürk Yüksek archtester gentoo-dev 2017-10-23 23:50:05 UTC
I confirm that the 4.4.2 in the tree is vulnerable to all three CVEs
Comment 4 Larry the Git Cow gentoo-dev 2017-11-08 23:56:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1029e7bca66676be009d086091823465f107bd2e

commit 1029e7bca66676be009d086091823465f107bd2e
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2017-11-08 23:55:59 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2017-11-08 23:55:59 +0000

    app-forensics/sleuthkit: remove vulnerable version 4.4.2 #629352
    
    This version is vulnerable to the following CVEs:
      CVE-2017-13755, CVE-2017-13756, CVE-2017-13760
    
    Bug: https://bugs.gentoo.org/629352
    Package-Manager: Portage-2.3.8, Repoman-2.3.2

 app-forensics/sleuthkit/Manifest               |   1 -
 app-forensics/sleuthkit/sleuthkit-4.4.2.ebuild | 175 -------------------------
 2 files changed, 176 deletions(-)}
Comment 5 Göktürk Yüksek archtester gentoo-dev 2017-11-09 00:00:20 UTC
I've pushed sleuthkit-4.5.0 which fixes all the tree CVEs.
Comment 6 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-09 00:36:09 UTC
(In reply to Göktürk Yüksek from comment #5)
> I've pushed sleuthkit-4.5.0 which fixes all the tree CVEs.

Thank you, could you please confirm if prior versions (especially 4.0.2) are vulnerable? if that's the case please call for stabilization when ready. If not please let us know to reassign whiteboard to reflect the real status.

Thank you
Comment 7 D'juan McDonald (domhnall) 2017-11-09 03:38:34 UTC
@maintainer(s), Please set your keywords, package list and cc arches to start stabilization. Thank you.

Gentoo Security Padawan
(jmbailey/mbailey_j)
Comment 8 Göktürk Yüksek archtester gentoo-dev 2017-11-27 14:35:17 UTC
Arches, please proceed with the stabilization.

@ChrisADR, I didn't see anything about prior versions in the CVEs. I'll more likely clean the prior versions after this stabilization.
Comment 9 Agostino Sarubbo gentoo-dev 2017-11-29 11:19:32 UTC
amd64 stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-29 18:55:08 UTC
x86 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2018-03-03 22:19:46 UTC
ppc stable
Comment 12 Matt Turner gentoo-dev 2018-04-22 19:17:38 UTC
hppa stable
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2018-04-22 20:54:22 UTC
GLSA Vote: No

@maintainer, please clean the vulnerable versions.
Comment 14 Larry the Git Cow gentoo-dev 2018-04-23 21:52:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15edf362028940ec8457c508320f17dbc1ef6a8b

commit 15edf362028940ec8457c508320f17dbc1ef6a8b
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2018-04-23 21:51:26 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2018-04-23 21:52:05 +0000

    app-forensics/sleuthkit: clean up old & vulnerable #629352
    
    Bug: https://bugs.gentoo.org/629352
    Package-Manager: Portage-2.3.27, Repoman-2.3.9

 app-forensics/sleuthkit/Manifest                   |  4 --
 .../files/sleuthkit-3.2.3-tools-shared-libs.patch  | 55 ----------------------
 .../files/sleuthkit-4.0.0-system-sqlite.patch      | 34 -------------
 .../files/sleuthkit-4.1.0-system-sqlite.patch      | 34 -------------
 app-forensics/sleuthkit/sleuthkit-4.0.2.ebuild     | 39 ---------------
 app-forensics/sleuthkit/sleuthkit-4.1.0.ebuild     | 38 ---------------
 app-forensics/sleuthkit/sleuthkit-4.1.2.ebuild     | 38 ---------------
 app-forensics/sleuthkit/sleuthkit-4.1.3.ebuild     | 38 ---------------
 8 files changed, 280 deletions(-)}