Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 770145 (CVE-2020-13949) - <dev-python/thrift-0.14.1: potential DoS when processing untrusted Thrift payloads (CVE-2020-13949)
Summary: <dev-python/thrift-0.14.1: potential DoS when processing untrusted Thrift pay...
Status: RESOLVED FIXED
Alias: CVE-2020-13949
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-12 01:11 UTC by John Helmert III
Modified: 2021-07-14 03:13 UTC (History)
1 user (show)

See Also:
Package list:
dev-python/thrift-0.14.1 amd64 x86
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-12 01:11:11 UTC 
CVE-2020-13949:

Applications using Thrift would not error upon receiving messages
declaring containers of sizes larger than the payload. As a result,
malicious RPC clients could send short messages which would result in a
large memory allocation, potentially leading to denial of service.


Fixed in 0.14.0, please bump.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-31 20:50:34 UTC 
ping
Comment 2 Larry the Git Cow gentoo-dev 2021-06-01 06:39:05 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d737b9a8a8e0fa201ed4f9ecf529e5699d3b3bb

commit 3d737b9a8a8e0fa201ed4f9ecf529e5699d3b3bb
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-06-01 06:38:48 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-06-01 06:39:03 +0000

    dev-python/thrift-0.14.1: version bump
    
    Bug: https://bugs.gentoo.org/770145
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 dev-python/thrift/Manifest             |  1 +
 dev-python/thrift/thrift-0.14.1.ebuild | 27 +++++++++++++++++++++++++++
 2 files changed, 28 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-02 01:19:28 UTC 
Please proceed with stabilization when ready.
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-16 20:45:30 UTC 
(In reply to John Helmert III from comment #3)
> Please proceed with stabilization when ready.

ping
Comment 5 Fabian Groffen gentoo-dev 2021-06-17 08:09:11 UTC 
arches, please stabilise =dev-python/thrift-0.14.1 thanks
Comment 6 Agostino Sarubbo gentoo-dev 2021-06-18 06:27:11 UTC 
amd64 stable
Comment 7 NATTkA bot gentoo-dev 2021-06-18 06:32:40 UTC Comment hidden (obsolete)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-18 13:51:17 UTC 
I guess arm wasn't supposed to be CCd? Don't forget to use nattka to handle arches trivially!

https://archives.gentoo.org/gentoo-dev/message/cd62f6be924f6a0f76b68a07d33b256a
Comment 9 Fabian Groffen gentoo-dev 2021-06-18 18:17:53 UTC 
nattka didn't work, so I wanted to add the archs x86 and amd64 manually myself, apparently I accidentially added arm instead.
Comment 10 Agostino Sarubbo gentoo-dev 2021-06-19 10:01:35 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Larry the Git Cow gentoo-dev 2021-06-19 19:06:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72e4790572c52c37f876509da179b24b4ae83734

commit 72e4790572c52c37f876509da179b24b4ae83734
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-06-19 19:06:44 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-06-19 19:06:44 +0000

    dev-python/thrift: cleanup old
    
    Bug: https://bugs.gentoo.org/770145
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 dev-python/thrift/Manifest             |  1 -
 dev-python/thrift/thrift-0.13.0.ebuild | 25 -------------------------
 2 files changed, 26 deletions(-)
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-19 21:34:12 UTC 
Thanks!
Comment 13 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-08 01:13:31 UTC 
GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2021-07-14 03:13:50 UTC 
This issue was resolved and addressed in
 GLSA 202107-32 at https://security.gentoo.org/glsa/202107-32
by GLSA coordinator John Helmert III (ajak).