A double-free vulnerability in str2host.c in ldns 1.7.0 have unspecified
impact and attack vectors.
A double-free vulnerability in parse.c in ldns 1.7.0 have unspecified impact
and attack vectors.
@Maintainer, please advise the best way to handle this.
I have added 1.7.0-r1 to the tree with patches for both CVEs because upstream has not released a new version yet
(In reply to Marc Schiffbauer from comment #2)
> I have added 1.7.0-r1 to the tree with patches for both CVEs because
> upstream has not released a new version yet
Thank you, please call for stabilization when appropriate. I'm re-assigning whiteboard since a stable version is affected and no PoC from nothing besides the double free memory corruption.
First unaffected version in tree is net-libs/ldns-1.7.0-r1. net-libs/1.7.0-r2 is almost finished with stabilization, but is pending alpha.
@alpha, please stabilize.
Author: Tobias Klausmann <firstname.lastname@example.org>
Date: Sat Jan 20 12:50:36 2018 +0100
net-libs/ldns-1.7.0-r2: alpha stable
(In reply to Sergei Trofimovich from comment #5)
> commit 62937fb372986f20d2a98e04f6f035c097131e97
> Author: Tobias Klausmann <email@example.com>
> Date: Sat Jan 20 12:50:36 2018 +0100
> net-libs/ldns-1.7.0-r2: alpha stable
> Gentoo-Bug: http://bugs.gentoo.org/509632
@maintainer, please clean the vulnerable versions from the tree.
tree is clean:
*** Bug 618178 has been marked as a duplicate of this bug. ***