Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 753275 (CVE-2020-28241) - <dev-libs/libmaxminddb-1.4.3: Heap buffer overflow in dump_entry_data_list (CVE-2020-28241)
Summary: <dev-libs/libmaxminddb-1.4.3: Heap buffer overflow in dump_entry_data_list (C...
Status: RESOLVED FIXED
Alias: CVE-2020-28241
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/maxmind/libmaxmind...
Whiteboard: B3 [glsa+ cve]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-11-06 06:22 UTC by Sam James
Modified: 2020-11-14 18:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-11-06 06:22:58 UTC
"libmaxminddb before 1.4.3 has a heap-based buffer over-read in dump_entry_data_list in maxminddb.c."
Comment 1 Sam James archtester gentoo-dev Security 2020-11-06 11:05:28 UTC
arm64 done
Comment 2 Sam James archtester gentoo-dev Security 2020-11-06 11:52:52 UTC
arm done
Comment 3 Sam James archtester gentoo-dev Security 2020-11-06 20:35:55 UTC
amd64 done
Comment 4 Sergei Trofimovich gentoo-dev 2020-11-07 20:49:10 UTC
hppa/ppc/ppc64/sparc stable
Comment 5 Sam James archtester gentoo-dev Security 2020-11-09 23:14:13 UTC
x86 done

all arches done
Comment 6 Larry the Git Cow gentoo-dev 2020-11-11 00:25:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c329200c739413d0bd2e6a35a1979be75621e478

commit c329200c739413d0bd2e6a35a1979be75621e478
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-11-10 17:20:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-11-11 00:25:32 +0000

    dev-libs/libmaxminddb: security cleanup <1.4.3
    
    Bug: https://bugs.gentoo.org/753275
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/18217
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libmaxminddb/Manifest                  |  2 --
 dev-libs/libmaxminddb/libmaxminddb-1.3.2.ebuild | 27 -------------------------
 dev-libs/libmaxminddb/libmaxminddb-1.4.2.ebuild | 27 -------------------------
 3 files changed, 56 deletions(-)
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-11-14 18:16:51 UTC
This issue was resolved and addressed in
 GLSA 202011-15 at https://security.gentoo.org/glsa/202011-15
by GLSA coordinator Sam James (sam_c).