Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 655146 (CVE-2018-10689) - <sys-block/blktrace-1.2.0_p20210419122502: buffer overflow in the dev_map_read function in btt/devmap.c (CVE-2018-10689)
Summary: <sys-block/blktrace-1.2.0_p20210419122502: buffer overflow in the dev_map_rea...
Alias: CVE-2018-10689
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+ cve]
Depends on:
Reported: 2018-05-07 10:03 UTC by Agostino Sarubbo
Modified: 2021-07-08 03:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
nattka: sanity-check-


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2018-05-07 10:03:08 UTC
From ${URL} :

A flaw was found in blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel and Android, has a buffer overflow in the dev_map_read function in btt/devmap.c because the device and devno 
arrays are too small, as demonstrated by an invalid free when using the btt program with a crafted file.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Sam James archtester gentoo-dev Security 2020-04-22 22:11:58 UTC
@maintainer(s): ping, fancy applying the patch, or is it not suitable?
Comment 2 Larry the Git Cow gentoo-dev 2021-06-12 18:04:32 UTC
The bug has been referenced in the following commit(s):

commit d67d725f6bbb13cf73ff577df38e36bd08544d78
Author:     Robin H. Johnson <>
AuthorDate: 2021-06-12 18:01:43 +0000
Commit:     Robin H. Johnson <>
CommitDate: 2021-06-12 18:04:13 +0000

    sys-block/blktrace: bump using snapshot
    Reference: CVE-2018-10689
    Signed-off-by: Robin H. Johnson <>

 sys-block/blktrace/Manifest                        |  1 +
 .../blktrace/blktrace-1.2.0_p20210419122502.ebuild | 61 ++++++++++++++++++++++
 2 files changed, 62 insertions(+)
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2021-06-12 18:05:38 UTC
you can stablereq it. I chose to use the upstream snapshot because they haven't made a new release in 3.5 years, and it contains other build & functionality fixes to work in edge cases of newer kernels (e.g. cgroup stuff)
Comment 4 John Helmert III gentoo-dev Security 2021-06-12 18:08:03 UTC
Thanks Robin!
Comment 5 Agostino Sarubbo gentoo-dev 2021-06-13 06:28:12 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2021-06-13 06:32:49 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2021-06-14 09:15:13 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 8 NATTkA bot gentoo-dev 2021-06-20 17:20:38 UTC
Unable to check for sanity:

> no match for package: sys-block/blktrace-1.2.0_p20210419122502
Comment 9 John Helmert III gentoo-dev Security 2021-06-20 17:26:54 UTC
Ping, please cleanup
Comment 10 John Helmert III gentoo-dev Security 2021-07-06 00:03:01 UTC
GLSA request filed
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2021-07-08 03:35:40 UTC
This issue was resolved and addressed in
 GLSA 202107-15 at
by GLSA coordinator John Helmert III (ajak).