Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 770145 (CVE-2020-13949) - <dev-python/thrift-0.14.1: potential DoS when processing untrusted Thrift payloads (CVE-2020-13949)
Summary: <dev-python/thrift-0.14.1: potential DoS when processing untrusted Thrift pay...
Status: RESOLVED FIXED
Alias: CVE-2020-13949
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-12 01:11 UTC by John Helmert III
Modified: 2021-07-14 03:13 UTC (History)
1 user (show)

See Also:
Package list:
dev-python/thrift-0.14.1 amd64 x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-12 01:11:11 UTC
CVE-2020-13949:

Applications using Thrift would not error upon receiving messages
declaring containers of sizes larger than the payload. As a result,
malicious RPC clients could send short messages which would result in a
large memory allocation, potentially leading to denial of service.


Fixed in 0.14.0, please bump.
Comment 1 Thomas Deutschmann gentoo-dev Security 2021-05-31 20:50:34 UTC
ping
Comment 2 Larry the Git Cow gentoo-dev 2021-06-01 06:39:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d737b9a8a8e0fa201ed4f9ecf529e5699d3b3bb

commit 3d737b9a8a8e0fa201ed4f9ecf529e5699d3b3bb
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-06-01 06:38:48 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-06-01 06:39:03 +0000

    dev-python/thrift-0.14.1: version bump
    
    Bug: https://bugs.gentoo.org/770145
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 dev-python/thrift/Manifest             |  1 +
 dev-python/thrift/thrift-0.14.1.ebuild | 27 +++++++++++++++++++++++++++
 2 files changed, 28 insertions(+)
Comment 3 John Helmert III gentoo-dev Security 2021-06-02 01:19:28 UTC
Please proceed with stabilization when ready.
Comment 4 Sam James archtester gentoo-dev Security 2021-06-16 20:45:30 UTC
(In reply to John Helmert III from comment #3)
> Please proceed with stabilization when ready.

ping
Comment 5 Fabian Groffen gentoo-dev 2021-06-17 08:09:11 UTC
arches, please stabilise =dev-python/thrift-0.14.1 thanks
Comment 6 Agostino Sarubbo gentoo-dev 2021-06-18 06:27:11 UTC
amd64 stable
Comment 7 NATTkA bot gentoo-dev 2021-06-18 06:32:40 UTC Comment hidden (obsolete)
Comment 8 John Helmert III gentoo-dev Security 2021-06-18 13:51:17 UTC
I guess arm wasn't supposed to be CCd? Don't forget to use nattka to handle arches trivially!

https://archives.gentoo.org/gentoo-dev/message/cd62f6be924f6a0f76b68a07d33b256a
Comment 9 Fabian Groffen gentoo-dev 2021-06-18 18:17:53 UTC
nattka didn't work, so I wanted to add the archs x86 and amd64 manually myself, apparently I accidentially added arm instead.
Comment 10 Agostino Sarubbo gentoo-dev 2021-06-19 10:01:35 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Larry the Git Cow gentoo-dev 2021-06-19 19:06:50 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72e4790572c52c37f876509da179b24b4ae83734

commit 72e4790572c52c37f876509da179b24b4ae83734
Author:     Fabian Groffen <grobian@gentoo.org>
AuthorDate: 2021-06-19 19:06:44 +0000
Commit:     Fabian Groffen <grobian@gentoo.org>
CommitDate: 2021-06-19 19:06:44 +0000

    dev-python/thrift: cleanup old
    
    Bug: https://bugs.gentoo.org/770145
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Fabian Groffen <grobian@gentoo.org>

 dev-python/thrift/Manifest             |  1 -
 dev-python/thrift/thrift-0.13.0.ebuild | 25 -------------------------
 2 files changed, 26 deletions(-)
Comment 12 John Helmert III gentoo-dev Security 2021-06-19 21:34:12 UTC
Thanks!
Comment 13 John Helmert III gentoo-dev Security 2021-07-08 01:13:31 UTC
GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2021-07-14 03:13:50 UTC
This issue was resolved and addressed in
 GLSA 202107-32 at https://security.gentoo.org/glsa/202107-32
by GLSA coordinator John Helmert III (ajak).