Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830368 (CVE-2021-45940, CVE-2021-45941) - <dev-libs/libbpf-0.7.0: multiple vulnerabilities
Summary: <dev-libs/libbpf-0.7.0: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-45940, CVE-2021-45941
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 834693
Blocks:
  Show dependency tree
 
Reported: 2022-01-01 02:03 UTC by Sam James
Modified: 2022-03-15 19:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-01-01 02:03:05 UTC
CVE-2021-45940 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868):

libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (4 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).

CVE-2021-45941 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957):

libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in __bpf_object__open (called from bpf_object__open_mem and bpf-object-fuzzer.c).
Comment 1 Niklāvs Koļesņikovs 2022-03-02 16:16:13 UTC
Is it clear that 0.6.1 was affected? To me it looks like the issue was already fixed in december 11, when 0.6.1 was tagged, so it's likely to no longer be affected.

Furthermore there is now 0.7.0 in tree which should certainly not be affected, unless I'm completely misunderstanding the automatic fuzzing reports.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 18:55:53 UTC
Yep, looks like the fixed commit is 33ec2ca026d568c4820324752be09a51460b7005, which is in 0.7.0, so need to stable 0.7.0. Shouldn't hurt to just trust the oss-fuzz tracking here.

Maintainer: please stabilize 0.7.0.
Comment 3 Larry the Git Cow gentoo-dev 2022-03-15 18:01:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94cab9ea037c1bdeb49d9b07fe53a36a43a10119

commit 94cab9ea037c1bdeb49d9b07fe53a36a43a10119
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-03-15 18:00:50 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-03-15 18:00:50 +0000

    dev-libs/libbpf: drop 0.6.1
    
    Bug: https://bugs.gentoo.org/830368
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 dev-libs/libbpf/Manifest            |  1 -
 dev-libs/libbpf/libbpf-0.6.1.ebuild | 51 -------------------------------------
 2 files changed, 52 deletions(-)