Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 608042 (CVE-2016-10195, CVE-2016-10196, CVE-2016-10197) - <dev-libs/libevent-2.1.7_rc: multiple vulnerabilities
Summary: <dev-libs/libevent-2.1.7_rc: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-10195, CVE-2016-10196, CVE-2016-10197
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: 608180
Blocks:
  Show dependency tree
 
Reported: 2017-02-02 13:43 UTC by Agostino Sarubbo
Modified: 2017-10-18 22:55 UTC (History)
2 users (show)

See Also:
Package list:
=dev-libs/libevent-2.1.8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2017-02-02 13:43:08 UTC
From ${URL} :


> [] https://github.com/libevent/libevent/issues/317
> libevent dns remote stack overread vulnerability

Use CVE-2016-10195.


> [] https://github.com/libevent/libevent/issues/318
> libevent (stack) buffer overflow in evutil_parse_sockaddr_port()

Use CVE-2016-10196.


> [] https://github.com/libevent/libevent/issues/332
> out-of-bounds read in search_make_new()

Use CVE-2016-10197.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers gentoo-dev 2017-02-02 14:35:43 UTC
"
Libevent 2.1.6 fixed three bugs that may have security implications. Can
you assign CVE IDs as appropriate?
"

says the cited parent. 2.1.6 was a beta release from August 2016. We have since seen a release candidate 2.1.7 and 2.1.8 is in the tree while 2.1.5 was removed as well.

All done?
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-02-02 15:24:02 UTC
(In reply to Jeroen Roovers from comment #1)
> says the cited parent. 2.1.6 was a beta release from August 2016. We have
> since seen a release candidate 2.1.7 and 2.1.8 is in the tree while 2.1.5
> was removed as well.
> 
> All done?

Well, looks like we need to stabilization >=dev-libs/libevent-2.1.7_rc in this case. Can we stabilize =dev-libs/libevent-2.1.8 or should we wait a little bit?
Comment 3 Jeroen Roovers gentoo-dev 2017-02-03 15:32:28 UTC
(In reply to Thomas Deutschmann from comment #2)
> Well, looks like we need to stabilization >=dev-libs/libevent-2.1.7_rc in
> this case.

Only if 2.0.22 is vulnerable.

> Can we stabilize =dev-libs/libevent-2.1.8 or should we wait a
> little bit?

Arch teams, please test and mark stable:
=dev-libs/libevent-2.1.8
Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Agostino Sarubbo gentoo-dev 2017-02-09 14:37:32 UTC
amd64 stable
Comment 5 Michael Weber (RETIRED) gentoo-dev 2017-02-10 14:20:04 UTC
arm ppc ppc64 stable.
Comment 6 Stéphane BARBARAY 2017-02-27 13:00:43 UTC
Except that I had to mask 2.1.8 to emerge nfs-utils and ntp...

dev-libs/libevent:0

  (dev-libs/libevent-2.1.8:0/2.1-6::gentoo, ebuild scheduled for merge) conflicts with
    <=dev-libs/libevent-2.1 required by (net-fs/nfs-utils-1.3.1-r5:0/0::gentoo, installed)
    ^^                  ^^^
    >=dev-libs/libevent-2.0.9:0/0=[threads] required by (net-misc/ntp-4.2.8_p9:0/0::gentoo, installed)
                             ^^^^^
Comment 7 Jeroen Roovers gentoo-dev 2017-03-15 05:44:04 UTC
Stable for HPPA.
Comment 8 Jeroen Roovers gentoo-dev 2017-03-25 08:37:58 UTC
(In reply to Stéphane BARBARAY from comment #6)
Comment 9 Matt Turner gentoo-dev 2017-03-30 02:39:09 UTC
alpha/ia64 stable
Comment 10 Jeroen Roovers gentoo-dev 2017-04-15 08:59:04 UTC
Stable for AMD64 x86.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2017-04-27 05:41:55 UTC
Arches, Thank you for your work.

Can no longer wait on sparc as it is affecting release of GLSA. 
New GLSA Request filed.
Please stabilize sparc.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-05-07 20:28:49 UTC
This issue was resolved and addressed in
 GLSA 201705-01 at https://security.gentoo.org/glsa/201705-01
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 13 Thomas Deutschmann gentoo-dev Security 2017-05-07 20:31:56 UTC
Re-opening for sparc and cleanup.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2017-05-09 05:58:38 UTC
sparc - please stabilize or move to ~sparc.

Maintainer(s), please drop the vulnerable version(s).
Comment 15 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-04 13:14:53 UTC
Ping:

This report still open since 05/17 any news?

Security Team Padawan
ChrisADR
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-10 22:08:30 UTC
sparc was dropped to exp.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9

@maintainer(s), please cleanup.
Comment 17 Sergei Trofimovich gentoo-dev 2017-10-18 20:12:35 UTC
sparc stable (thanks to Rolf Eike Beer)
Comment 18 Aleksandr Wagner (Kivak) 2017-10-18 20:27:46 UTC
Stabilization has been completed, all vulnerable versions have been removed from the tree.