CVE-2017-1000232 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000232): A double-free vulnerability in str2host.c in ldns 1.7.0 have unspecified impact and attack vectors. CVE-2017-1000231 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000231): A double-free vulnerability in parse.c in ldns 1.7.0 have unspecified impact and attack vectors.
@Maintainer, please advise the best way to handle this. Thank you
I have added 1.7.0-r1 to the tree with patches for both CVEs because upstream has not released a new version yet
(In reply to Marc Schiffbauer from comment #2) > I have added 1.7.0-r1 to the tree with patches for both CVEs because > upstream has not released a new version yet Thank you, please call for stabilization when appropriate. I'm re-assigning whiteboard since a stable version is affected and no PoC from nothing besides the double free memory corruption.
First unaffected version in tree is net-libs/ldns-1.7.0-r1. net-libs/1.7.0-r2 is almost finished with stabilization, but is pending alpha. @alpha, please stabilize.
commit 62937fb372986f20d2a98e04f6f035c097131e97 Author: Tobias Klausmann <klausman@gentoo.org> Date: Sat Jan 20 12:50:36 2018 +0100 net-libs/ldns-1.7.0-r2: alpha stable Gentoo-Bug: http://bugs.gentoo.org/509632
(In reply to Sergei Trofimovich from comment #5) > commit 62937fb372986f20d2a98e04f6f035c097131e97 > Author: Tobias Klausmann <klausman@gentoo.org> > Date: Sat Jan 20 12:50:36 2018 +0100 > > net-libs/ldns-1.7.0-r2: alpha stable > > Gentoo-Bug: http://bugs.gentoo.org/509632 Thanks, Sergei! @maintainer, please clean the vulnerable versions from the tree.
tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f8d1f906ee104fed8ee8994d8a861e15022b46b
*** Bug 618178 has been marked as a duplicate of this bug. ***