Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 806070 (CVE-2021-37600) - <sys-apps/util-linux-2.37.1-r1: buffer overflow (CVE-2021-37600)
Summary: <sys-apps/util-linux-2.37.1-r1: buffer overflow (CVE-2021-37600)
Status: RESOLVED FIXED
Alias: CVE-2021-37600
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://github.com/karelzak/util-linu...
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 809491
Blocks:
  Show dependency tree
 
Reported: 2021-08-01 18:52 UTC by John Helmert III
Modified: 2024-01-07 08:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-01 18:52:18 UTC
CVE-2021-37600:

An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file.

Unreleased patch: https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c):
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-01 18:57:15 UTC
Upstream don't consider this an issue: https://github.com/karelzak/util-linux/issues/1395#issuecomment-888984731.
Comment 2 Larry the Git Cow gentoo-dev 2021-08-11 12:30:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da60551412d12ea1b7b0fe27a7603fb7873d63c2

commit da60551412d12ea1b7b0fe27a7603fb7873d63c2
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-08-11 12:25:48 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-08-11 12:30:42 +0000

    sys-apps/util-linux: Revbump to add various upstream fixes
    
    * Erase names in agetty by pressing CTRL-C (#804972)
    * Fixed user mount of davfs2 filesystems (#805218)
    * Fixed lscpu segfault on riscv plattform with upstream patch (#802606)
    + Fixed potential buffer overflow in ipcutils (#806070) (CVE-2021-37600)
    
    Bug: https://bugs.gentoo.org/806070
    Closes: https://bugs.gentoo.org/804972
    Closes: https://bugs.gentoo.org/805218
    Closes: https://bugs.gentoo.org/802606
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 .../util-linux-2.37.1-agetty_ctrl-c_erase.patch    |  50 +++
 .../util-linux-2.37.1-ipcutils_calloc_check.patch  |  25 ++
 .../util-linux-2.37.1-libmount_setgroups_fix.patch |  38 +++
 ...l-linux-2.37.1-lscpu_NULL_dereference_fix.patch |  50 +++
 sys-apps/util-linux/util-linux-2.37.1-r1.ebuild    | 338 +++++++++++++++++++++
 5 files changed, 501 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-09-18 13:24:36 UTC
Please cleanup.
Comment 4 Larry the Git Cow gentoo-dev 2024-01-07 08:30:52 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4e42800d2202837758726b7cc0f86440487fee40

commit 4e42800d2202837758726b7cc0f86440487fee40
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-07 08:30:19 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-07 08:30:48 +0000

    [ GLSA 202401-08 ] util-linux: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/806070
    Bug: https://bugs.gentoo.org/831978
    Bug: https://bugs.gentoo.org/833365
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-08.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)