Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 772272 (CVE-2021-3405) - <dev-libs/libebml-1.4.2: exploitable heap overflow on 32 bit builds (CVE-2021-3405)
Summary: <dev-libs/libebml-1.4.2: exploitable heap overflow on 32 bit builds (CVE-2021...
Status: IN_PROGRESS
Alias: CVE-2021-3405
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://github.com/Matroska-Org/libeb...
Whiteboard: B1 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-23 22:02 UTC by John Helmert III
Modified: 2021-07-29 18:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-23 22:02:22 UTC
CVE-2021-3405:

A flaw was found in libebml before 1.4.2. A heap overflow bug exists in the implementation of EbmlString::ReadData and EbmlUnicodeString::ReadData in libebml.

Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-02-24 16:22:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5a51938aa0fc53ed5804e6749ecd3db3db489d17

commit 5a51938aa0fc53ed5804e6749ecd3db3db489d17
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-02-24 15:02:47 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-02-24 16:21:43 +0000

    dev-libs/libebml: bump to 1.4.2
    
    Bug: https://bugs.gentoo.org/772272
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libebml/Manifest             |  1 +
 dev-libs/libebml/libebml-1.4.2.ebuild | 22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+)
Comment 2 Sam James archtester gentoo-dev Security 2021-02-24 20:23:48 UTC
ppc done
Comment 3 Sam James archtester gentoo-dev Security 2021-02-24 20:25:58 UTC
ppc64 done
Comment 4 Sam James archtester gentoo-dev Security 2021-02-24 20:26:49 UTC
arm done
Comment 5 Sam James archtester gentoo-dev Security 2021-02-24 23:20:33 UTC
arm64 done
Comment 6 Sam James archtester gentoo-dev Security 2021-02-25 07:31:38 UTC
x86 done
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2021-02-25 08:53:03 UTC
sparc stable
Comment 8 Sam James archtester gentoo-dev Security 2021-02-25 11:16:43 UTC
amd64 done

all arches done
Comment 9 Sam James archtester gentoo-dev Security 2021-02-25 11:23:07 UTC
Please cleanup.
Comment 10 Larry the Git Cow gentoo-dev 2021-02-25 12:57:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ee5c6ba9a4dcb4662c5a7dfe9092ff3378547e54

commit ee5c6ba9a4dcb4662c5a7dfe9092ff3378547e54
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-02-25 12:57:20 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-02-25 12:57:20 +0000

    dev-libs/libebml: Security cleanup
    
    Bug: https://bugs.gentoo.org/772272
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-libs/libebml/Manifest              |  4 ----
 dev-libs/libebml/libebml-1.3.10.ebuild | 20 --------------------
 dev-libs/libebml/libebml-1.3.9.ebuild  | 20 --------------------
 dev-libs/libebml/libebml-1.4.0.ebuild  | 20 --------------------
 dev-libs/libebml/libebml-1.4.1.ebuild  | 22 ----------------------
 5 files changed, 86 deletions(-)
Comment 11 John Helmert III gentoo-dev Security 2021-02-25 17:09:51 UTC
Thank you!
Comment 12 NATTkA bot gentoo-dev 2021-07-29 17:23:53 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-07-29 17:32:19 UTC Comment hidden (obsolete)
Comment 14 NATTkA bot gentoo-dev 2021-07-29 17:40:12 UTC Comment hidden (obsolete)
Comment 15 NATTkA bot gentoo-dev 2021-07-29 17:48:22 UTC Comment hidden (obsolete)
Comment 16 NATTkA bot gentoo-dev 2021-07-29 18:04:19 UTC Comment hidden (obsolete)
Comment 17 NATTkA bot gentoo-dev 2021-07-29 18:12:36 UTC
Package list is empty or all packages have requested keywords.