Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 939831 - <dev-libs/dotconf-1.4.1: Multiple vulnerabilities
Summary: <dev-libs/dotconf-1.4.1: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa? cleanup]
Keywords:
Depends on: 939832
Blocks:
  Show dependency tree
 
Reported: 2024-09-19 02:57 UTC by Sam James
Modified: 2024-09-24 05:18 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-09-19 02:57:09 UTC
* https://github.com/williamh/dotconf/commit/6382711e9b0060bbd0408df512e48b2ce9cdb3be
* https://github.com/williamh/dotconf/commit/ced5b7e629142dd028acee11f55494c667a4ad49

The second one in particular:
"""
This fixes a security vulnerability as well as three other bugs.

The potential vulnerability lies on lines 280 to 314 of dotconf.c,
wherein the "dotconf_get_next_line" function does not use the provided
bufsize parameter. This can lead to an overflowing write of the
provided buffer when a line that contains an escape at the end is read
and is followed by a large following line. While most applications of
dotconf seem to trust the configuration file in question, this is a
direct buffer overflow which could be used to gain arbitrary code
execution. If nothing else, it is certainly a bug.

The additional three other related but not security-
relevant bugs in lines 259 to 278 in the function
"dotconf_continue_line". Namely:
1. a line containing only an escape character followed by a newline or
followed by a carriage return + newline leads to a non-exploitable one
or two byte buffer underflow read, respectively
2. a line containing a carriage return + newline leads to a single byte
buffer underflow read
3. a line of any length ending with an escape followed by a carriage
return + newline leads to a miscomputation of the line offset, leading
to the escape character being retained

I would like to thank Addison Crump <addison.crump@cispa.de> for the
fixes.
"""