Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 864442 (CVE-2022-2652) - <media-video/v4l2loopback-0.12.7: kernel stack memory leak via format string vulnerability
Summary: <media-video/v4l2loopback-0.12.7: kernel stack memory leak via format string ...
Alias: CVE-2022-2652
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2022-08-08 17:32 UTC by John Helmert III
Modified: 2024-03-24 07:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-08 17:32:45 UTC

Depending on the way the format strings in the card label are crafted it's possible to leak kernel stack memory. There is also the possibility for DoS due to the v4l2loopback kernel module crashing when providing the card label on request (reproduce e.g. with many %s modifiers in a row).

Unreleased patch:
Comment 1 Larry the Git Cow gentoo-dev 2023-06-21 08:29:55 UTC
The bug has been referenced in the following commit(s):

commit 032d9f3e8f89b760dc4d179a79128ae0490387b7
Author:     Andrew Ammerlaan <>
AuthorDate: 2023-06-21 08:25:15 +0000
Commit:     Andrew Ammerlaan <>
CommitDate: 2023-06-21 08:29:43 +0000

    media-video/v4l2loopback: migrate to linux-mod-r1.eclass, EAPI bump
    This should also fix Bug 843053 (please confirm that it works now)
    Should also fix the open CVE-2022-2652, the mentioned patch is in this release
    Signed-off-by: Andrew Ammerlaan <>

 media-video/v4l2loopback/Manifest                  |  1 +
 .../v4l2loopback/v4l2loopback-0.12.7.ebuild        | 59 ++++++++++++++++++++++
 media-video/v4l2loopback/v4l2loopback-9999.ebuild  | 19 +++----
 3 files changed, 70 insertions(+), 9 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-22 04:34:32 UTC
Thanks! Please stable when ready
Comment 3 Hans de Graaff gentoo-dev Security 2023-10-22 13:55:55 UTC
As far as I can tell this package never had stable versions. Please clean up vulnerable version 0.12.5-r1.
Comment 4 Quincy Fleming 2024-03-23 11:39:11 UTC
Version 0.12.5 was dropped in this commit:

This bug can be closed now.