Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 760714 (CVE-2020-26566) - <media-video/motion-4.3.2: segmentation fault via crafted HTTP request (CVE-2020-26566)
Summary: <media-video/motion-4.3.2: segmentation fault via crafted HTTP request (CVE-2...
Status: CONFIRMED
Alias: CVE-2020-26566
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/Motion-Project/mot...
Whiteboard: B3 [glsa? cleanup]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-12-19 09:04 UTC by John Helmert III
Modified: 2021-01-04 09:33 UTC (History)
3 users (show)

See Also:
Package list:
media-video/motion-4.3.2
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-12-19 09:04:16 UTC 
CVE-2020-26566 (https://github.com/Motion-Project/motion/issues/1227):

A Denial of Service condition in Motion-Project Motion 3.2 through 4.3.1 allows remote unauthenticated users to cause a webu.c segmentation fault and kill the main process via a crafted HTTP request.


Maintainers, please let us know when ready to stable.
Comment 1 Johannes Willem (Hans) Fernhout 2020-12-29 09:54:57 UTC 
The differences between 4.3.2 and 4.3.1 are only two bug fixes, including a fix for this CVE.

Suggest to stabilize 4.3.2, and mask 4.3.1.
Comment 2 Sam James archtester gentoo-dev Security 2020-12-31 04:13:14 UTC 
(In reply to Johannes Willem (Hans) Fernhout from comment #1)
> The differences between 4.3.2 and 4.3.1 are only two bug fixes, including a
> fix for this CVE.
> 
> Suggest to stabilize 4.3.2, and mask 4.3.1.

Thanks!
Comment 3 Sam James archtester gentoo-dev Security 2021-01-01 23:00:19 UTC 
amd64 done
Comment 4 Sam James archtester gentoo-dev Security 2021-01-04 09:32:14 UTC 
x86 done

all arches done
Comment 5 Sam James archtester gentoo-dev Security 2021-01-04 09:33:15 UTC 
Please cleanup, thanks!