Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 761409 (CVE-2019-0205, CVE-2019-0210) - <dev-python/thrift-0.13.0: Multiple vulnerabilities (CVE-2019-{0205,0210})
Summary: <dev-python/thrift-0.13.0: Multiple vulnerabilities (CVE-2019-{0205,0210})
Status: RESOLVED FIXED
Alias: CVE-2019-0205, CVE-2019-0210
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-23 17:41 UTC by Sam James
Modified: 2021-07-14 03:13 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-23 17:41:57 UTC
* CVE-2019-0205

Description:
"In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings."

* CVE-2019-0210

Description:
"In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-23 17:42:15 UTC
Please bump to 0.13.0, thanks!
Comment 2 Larry the Git Cow gentoo-dev 2020-12-24 08:58:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25eda03e3a6f32f3e20742165a0b9e6e6f87f4c2

commit 25eda03e3a6f32f3e20742165a0b9e6e6f87f4c2
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2020-12-24 08:58:45 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2020-12-24 08:58:45 +0000

    dev-python/thrift-0.13.0: version bump, bug #761409
    
    Bug: https://bugs.gentoo.org/761409
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 dev-python/thrift/Manifest             |  1 +
 dev-python/thrift/thrift-0.13.0.ebuild | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-25 16:15:04 UTC
Thank you! Please stabilize when ready.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-06 00:54:54 UTC
Ready?
Comment 5 Fabian Groffen gentoo-dev 2021-01-06 08:01:27 UTC
go ahead
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 05:58:50 UTC
x86 done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 10:05:23 UTC
amd64 done

all arches done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-01-07 10:13:00 UTC
Please cleanup, thanks!
Comment 9 Larry the Git Cow gentoo-dev 2021-01-07 14:44:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e82c786f414c8a81a5fde1dcf66ce4f47fe4d77c

commit e82c786f414c8a81a5fde1dcf66ce4f47fe4d77c
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-01-07 14:44:09 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-01-07 14:44:09 +0000

    dev-python/thrift: security cleanup
    
    Bug: https://bugs.gentoo.org/761409
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 dev-python/thrift/Manifest             |  1 -
 dev-python/thrift/thrift-0.11.0.ebuild | 20 --------------------
 2 files changed, 21 deletions(-)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-08 01:13:30 UTC
GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2021-07-14 03:13:47 UTC
This issue was resolved and addressed in
 GLSA 202107-32 at https://security.gentoo.org/glsa/202107-32
by GLSA coordinator John Helmert III (ajak).