Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 713328 (CVE-2015-8837) - <sys-fs/fuseiso-20070708-r3: Multiple vulnerabilities (CVE-2015-8837)
Summary: <sys-fs/fuseiso-20070708-r3: Multiple vulnerabilities (CVE-2015-8837)
Status: RESOLVED FIXED
Alias: CVE-2015-8837
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-18 22:15 UTC by Sam James
Modified: 2020-07-27 03:16 UTC (History)
3 users (show)

See Also:
Package list:
sys-fs/fuseiso-20070708-r3
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-03-18 22:15:48 UTC
Description:
"Stack-based buffer overflow in the isofs_real_readdir function in isofs.c in FuseISO 20070708 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long pathname in an ISO file."

URL: https://bugzilla.redhat.com/show_bug.cgi?id=863091
URL: https://bugzilla.redhat.com/show_bug.cgi?id=862211
URL: https://www.debian.org/security/2016/dsa-3551

Patches:
* https://sources.debian.org/patches/fuseiso/20070708-3.2/02-prevent-buffer-overflow.patch/ (for this vulnerability)
* https://sources.debian.org/patches/fuseiso/20070708-3.2/03-prevent-integer-overflow.patch/ (a separate integer overflow issue)
Comment 1 Sam James archtester gentoo-dev Security 2020-03-26 18:39:04 UTC
@maintainer(s), please create a suitable ebuild (IMO: apply the patches from Debian linked above).
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-05-22 18:56:40 UTC
@maintainer, ping.
Comment 3 Sam James archtester gentoo-dev Security 2020-07-18 23:15:07 UTC
ping..
Comment 4 Larry the Git Cow gentoo-dev 2020-07-19 19:08:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=675031ceeb5731701376347641f857d3d00c8322

commit 675031ceeb5731701376347641f857d3d00c8322
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-19 19:06:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-19 19:06:17 +0000

    sys-fs/fuseiso: revbump for security patches
    
    This fixes CVE-2015-8837 and another possible
    vulnerability using patches from Debian.
    
    Bug: https://bugs.gentoo.org/713328
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/fuseiso-20070708-CVE-2015-8837.patch     | 35 ++++++++++++++++++++++
 .../files/fuseiso-20070708-integer-overflow.patch  | 16 ++++++++++
 sys-fs/fuseiso/fuseiso-20070708-r3.ebuild          | 28 +++++++++++++++++
 3 files changed, 79 insertions(+)
Comment 5 Sam James archtester gentoo-dev Security 2020-07-20 17:14:58 UTC
x86 stable
Comment 6 Sam James archtester gentoo-dev Security 2020-07-20 17:15:12 UTC
amd64 stable. Please cleanup.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:08:09 UTC
This issue was resolved and addressed in
 GLSA 202007-20 at https://security.gentoo.org/glsa/202007-20
by GLSA coordinator Sam James (sam_c).
Comment 8 Sam James archtester gentoo-dev Security 2020-07-27 01:17:32 UTC
(In reply to GLSAMaker/CVETool Bot from comment #7)
> This issue was resolved and addressed in
>  GLSA 202007-20 at https://security.gentoo.org/glsa/202007-20
> by GLSA coordinator Sam James (sam_c).

Reopening for cleanup.
Comment 9 Larry the Git Cow gentoo-dev 2020-07-27 03:15:26 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f21c97c1fbade4e7fadee7a1e18b880976164416

commit f21c97c1fbade4e7fadee7a1e18b880976164416
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-27 02:31:16 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-27 03:15:17 +0000

    sys-fs/fuseiso: security cleanup
    
    Closes: https://bugs.gentoo.org/713328
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-fs/fuseiso/fuseiso-20070708-r2.ebuild | 22 ----------------------
 1 file changed, 22 deletions(-)