Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 426496 (CVE-2012-3368) - <app-misc/dtach-0.8-r1: integer signedness error (CVE-2012-3368)
Summary: <app-misc/dtach-0.8-r1: integer signedness error (CVE-2012-3368)
Status: RESOLVED FIXED
Alias: CVE-2012-3368
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-13 23:27 UTC by GLSAMaker/CVETool Bot
Modified: 2012-11-17 13:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-07-13 23:27:24 UTC
CVE-2012-3368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3368):
  Integer signedness error in attach.c in dtach 0.8 allows remote attackers to
  obtain sensitive information from daemon stack memory in opportunistic
  circumstances by reading application data after an improper connection-close
  request, as demonstrated by running an IRC client in dtach.


Upstream bug:
http://sourceforge.net/tracker/?func=detail&aid=3517812&group_id=36489&atid=417357

Proposed patch:
http://sourceforge.net/tracker/download.php?group_id=36489&atid=417357&file_id=441195&aid=3517812
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2012-07-15 08:52:01 UTC
I will wait for progress on the upstream bug and/or redhat and then commit the patch.
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2012-11-07 21:21:51 UTC
+*dtach-0.8-r1 (07 Nov 2012)
+
+  07 Nov 2012; Justin Lecher <jlec@gentoo.org> +dtach-0.8-r1.ebuild,
+  +files/dtach-0.8-CVE-2012-3368.patch:
+  Backport fix for CVE-2012-3368, #426496
+


How long do we need to wait for stabilization?
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-08 00:28:46 UTC
(In reply to comment #2)
> 
> How long do we need to wait for stabilization?

No need to wait on security bugs if the ebuild is ready.

Arches, please test and mark stable 

=app-misc/dtach-0.8-r1
Comment 4 Agostino Sarubbo gentoo-dev 2012-11-10 10:08:24 UTC
amd64 stable
Comment 5 Andreas Schürch gentoo-dev 2012-11-12 19:16:55 UTC
x86 done.
Comment 6 Anthony Basile gentoo-dev 2012-11-15 12:18:41 UTC
stable ppc, closing
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-15 12:25:58 UTC
Thanks, everyone.

GLSA vote: no.
Comment 8 Justin Lecher (RETIRED) gentoo-dev 2012-11-15 12:55:44 UTC
+  15 Nov 2012; Justin Lecher <jlec@gentoo.org> -dtach-0.8.ebuild:
+  Drop vulnerable version, #426496
+
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-11-17 13:13:13 UTC
NO too, closing.