Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 544104 (CVE-2015-0838) - <dev-python/dulwich-0.9.9: Buffer overflow (CVE-2015-0838)
Summary: <dev-python/dulwich-0.9.9: Buffer overflow (CVE-2015-0838)
Alias: CVE-2015-0838
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2015-03-22 14:29 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2015-05-11 20:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-03-22 14:29:02 UTC
From ${URL}: 
Ivan Fratric of the Google Security Team has found a buffer overflow
in the C implementation of the apply_delta() function in Dulwich. This
function is used when accessing Git objects in pack files. Any
Git server or client based on Dulwich that handles untrusted pack
files is very likely to be vulnerable.

This issue has been assigned CVE-2015-0838.

I have attached patches against current HEAD and 0.9.8.
Dulwich 0.9.9 has been released with just this patch.

Tarball available here:

GPG signature:


Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-03-22 15:31:25 UTC
+*dulwich-0.10.0 (22 Mar 2015)
+*dulwich-0.9.9 (22 Mar 2015)
+  22 Mar 2015; Justin Lecher <> +dulwich-0.10.0.ebuild,
+  +dulwich-0.9.9.ebuild, -dulwich-0.9.4.ebuild, -dulwich-0.9.5.ebuild,
+  -dulwich-0.9.8.ebuild:
+  Drop old and bump version which fixes CVE-2015-0838, #544104
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2015-03-22 15:31:47 UTC
@arches please stabilize

Comment 3 Agostino Sarubbo gentoo-dev 2015-03-24 08:51:57 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-03-24 08:52:54 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Justin Lecher (RETIRED) gentoo-dev 2015-03-24 09:16:42 UTC
+  24 Mar 2015; Justin Lecher <> -dulwich-0.9.7.ebuild:
+  Clean up after sec stabilization, bug #544104
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-04-22 18:49:58 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: No
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-05-11 20:04:49 UTC
GLSA vote: no.

Closing as [noglsa]