According to the summary at $URL: Sharutils sharutils (unshar command) version 4.15.2 contains a Buffer Overflow vulnerability in Affected component on the file unshar.c at line 75, function looks_like_c_code. Failure to perform checking of the buffer containing input line. that can result in Could lead to code execution. This attack appear to be exploitable via Victim have to run unshar command on a specially crafted file.. Reproducible: Always
Created attachment 558684 [details, diff] Fix CVE-2018-1000097, heap buffer overflow in unshar From: Petr Pisar Subject: Fix CVE-2018-1000097, heap buffer overflow in unshar Bug-Debian: https://bugs.debian.org/893525 X-Debian-version: 1:4.15.2-3
This got lost in bugzilla due to no base-system cc, or classification. Re-surfacing!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=648bdf9134d87d5d6ca086b742964b77c3da87d8 commit 648bdf9134d87d5d6ca086b742964b77c3da87d8 Author: Andreas K. Hüttel <dilfridge@gentoo.org> AuthorDate: 2019-03-13 12:02:46 +0000 Commit: Andreas K. Hüttel <dilfridge@gentoo.org> CommitDate: 2019-03-13 12:02:46 +0000 app-arch/sharutils: Add patch for CVE-2018-1000097 Bug: https://bugs.gentoo.org/652686 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org> .../files/sharutils-4.15.2-CVE-2018-1000097.patch | 16 ++++++++++++++++ ...harutils-4.15.2.ebuild => sharutils-4.15.2-r1.ebuild} | 1 + 2 files changed, 17 insertions(+)
Let's stabilize this together with glibc in bug 674126
Please drop vulnerable