Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 918091 (CVE-2023-43616, CVE-2023-43617, CVE-2023-43618, CVE-2023-43619, CVE-2023-43620, CVE-2023-43621) - <net-misc/croc-10.0.12: multiple vulnerabilities
Summary: <net-misc/croc-10.0.12: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2023-43616, CVE-2023-43617, CVE-2023-43618, CVE-2023-43619, CVE-2023-43620, CVE-2023-43621
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B2 [glsa?]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2023-11-23 17:58 UTC by John Helmert III
Modified: 2024-11-13 21:23 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-23 17:58:03 UTC
CVE-2023-43616 (https://github.com/schollz/croc/issues/594):

An issue was discovered in Croc through 9.6.5. A sender can cause a receiver to overwrite files during ZIP extraction.

CVE-2023-43617 (https://github.com/schollz/croc/issues/596):

An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name.

CVE-2023-43618 (https://github.com/schollz/croc/issues/597):

An issue was discovered in Croc through 9.6.5. The protocol requires a sender to provide its local IP addresses in cleartext via an ips? message.

CVE-2023-43619 (https://github.com/schollz/croc/issues/593):

An issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a .ssh/authorized_keys file.

CVE-2023-43620 (https://github.com/schollz/croc/issues/595):

An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver.

CVE-2023-43621 (https://github.com/schollz/croc/issues/598):

An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments.

All unfixed upstream.
Comment 1 Larry the Git Cow gentoo-dev 2024-02-01 10:10:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78152d7c1255762e7a7623de16bee644f4aae414

commit 78152d7c1255762e7a7623de16bee644f4aae414
Author:     Armas Spann <zappel@simple-co.de>
AuthorDate: 2024-01-31 14:48:31 +0000
Commit:     Maciej Barć <xgqt@gentoo.org>
CommitDate: 2024-02-01 10:10:14 +0000

    net-misc/croc: drop 9.6.2, 9.6.4
    
    Bug: https://bugs.gentoo.org/918091
    Closes: https://bugs.gentoo.org/893980
    
    Signed-off-by: Armas Spann <zappel@simple-co.de>
    Closes: https://github.com/gentoo/gentoo/pull/35115
    Signed-off-by: Maciej Barć <xgqt@gentoo.org>

 net-misc/croc/Manifest          |  4 ----
 net-misc/croc/croc-9.6.2.ebuild | 50 -----------------------------------------
 net-misc/croc/croc-9.6.4.ebuild | 50 -----------------------------------------
 3 files changed, 104 deletions(-)
Comment 2 ZappeL 2024-02-03 01:30:43 UTC
I applogize for my late response on this - But I think we need to "partially" re-open this ticket. As I've updated croc to version 9.6.6 - but none of the bugs mentioned in here are yet closed, see:

https://github.com/schollz/croc/issues/593 - open (requested CVE update/clarification for 9.6.6)
https://github.com/schollz/croc/issues/594 - open (requested CVE update/clarification for 9.6.6)
https://github.com/schollz/croc/issues/595 - open (requested CVE update/clarification for 9.6.6)
https://github.com/schollz/croc/issues/598 - open (requested CVE update/clarification for 9.6.6)

https://github.com/schollz/croc/issues/596 - open: changed from "bug" to enhancement
https://github.com/schollz/croc/issues/597 - open: changed from "bug" to enhancement


From my PoV two of them were lowerd to beeing a "feature" instead a vulnerability, whilst the other 4 are still unfixed.

Please let me know how we should proceed.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-02-12 03:32:48 UTC
> I applogize for my late response on this - But I think we need to "partially" re-open this ticket.

Thanks for noticing! We'll keep this open until they're fixed, or we can split unfixed bugs into another bug once some of them are fixed in-tree.
Comment 4 ZappeL 2024-02-13 18:29:48 UTC
Thanks for your reply. I just saw the updates from 9.6.7 - 9.6.9 flew by since last week. 

I'll take care to update the ebuild as soon as possible and will inform you if they fixed it.
Comment 5 Hans de Graaff gentoo-dev Security 2024-02-14 13:40:52 UTC
I have updated the summary version to reflect that we don't have a version in the repository where all vulnerabilities are fixed yet.
Comment 6 Larry the Git Cow gentoo-dev 2024-10-14 18:20:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ade17527c6ef959b7cde6698aeebb00a6b6a74c3

commit ade17527c6ef959b7cde6698aeebb00a6b6a74c3
Author:     Armas Spann <zappel@simple-co.de>
AuthorDate: 2024-10-14 16:57:10 +0000
Commit:     Maciej Barć <xgqt@gentoo.org>
CommitDate: 2024-10-14 18:20:27 +0000

    net-misc/croc: drop 9.6.15
    
    Removal off obsolete croc-9.6.15, which was the last version containing some
    known CVEs which are fixed in croc >=9.6.16.
    See https://github.com/schollz/croc/releases/tag/v9.6.16 as a reference.
    
    Bug: https://bugs.gentoo.org/918091
    Signed-off-by: Armas Spann <zappel@simple-co.de>
    Closes: https://github.com/gentoo/gentoo/pull/38989
    Signed-off-by: Maciej Barć <xgqt@gentoo.org>

 net-misc/croc/Manifest           |  2 --
 net-misc/croc/croc-9.6.15.ebuild | 47 ----------------------------------------
 2 files changed, 49 deletions(-)
Comment 7 ZappeL 2024-11-13 21:23:19 UTC
(In reply to Hans de Graaff from comment #5)
> I have updated the summary version to reflect that we don't have a version
> in the repository where all vulnerabilities are fixed yet.

All affected versions had been removed.