Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 877605 (CVE-2022-0699) - <sci-libs/shapelib-1.6.0: double free
Summary: <sci-libs/shapelib-1.6.0: double free
Status: IN_PROGRESS
Alias: CVE-2022-0699
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://github.com/OSGeo/shapelib/iss...
Whiteboard: B2 [stable?]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-10-19 02:06 UTC by John Helmert III
Modified: 2024-05-03 11:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-19 02:06:32 UTC
CVE-2022-0699:

A double-free condition exists in contrib/shpsort.c of shapelib 1.5.0 and older releases. This issue may allow an attacker to cause a denial of service or have other unspecified impact via control over malloc.

Patch: https://github.com/OSGeo/shapelib/commit/c75b9281a5b9452d92e1682bdfe6019a13ed819f
Comment 1 Hans de Graaff gentoo-dev Security 2023-10-17 15:37:43 UTC
Ping. Any reason we cannot apply the patch mentioned in the comment?
Comment 2 Larry the Git Cow gentoo-dev 2024-05-03 11:26:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3431299ebe0ad8b9bfa4879b90971f58dc71ff30

commit 3431299ebe0ad8b9bfa4879b90971f58dc71ff30
Author:     Christopher Fore <csfore@posteo.net>
AuthorDate: 2024-04-22 22:56:24 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-05-03 11:23:09 +0000

    sci-libs/shapelib: add 1.6.0, security bump
    
    - Bump subslot (now installs as libshp.so.4)
    - Tests pass
    - Bump to EAPI 8
    - Convert SRC_URI to HTTPS
    - Convert econf args to array
    
    Bug: https://bugs.gentoo.org/877605
    Signed-off-by: Christopher Fore <csfore@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/36367
    Signed-off-by: Sam James <sam@gentoo.org>

 sci-libs/shapelib/Manifest              |  1 +
 sci-libs/shapelib/shapelib-1.6.0.ebuild | 38 +++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)