Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 638434 (CVE-2017-10140) - sys-libs/db: Berkeley DB reads DB_CONFIG from the current working directory
Summary: sys-libs/db: Berkeley DB reads DB_CONFIG from the current working directory
Status: IN_PROGRESS
Alias: CVE-2017-10140
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A4 [upstream/ebuild cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-22 08:03 UTC by Eddie Chapman
Modified: 2017-11-28 21:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eddie Chapman 2017-11-22 08:03:19 UTC
Berkeley DB reads the DB_CONFIG configuration file from the current working directory.

Upstream has not released a fix yet, but Ubuntu have just released updated packages using a patch that Fedora is also using, and which upstream has apparently endorsed (see RedHat BZ comments). So I suggest Gentoo do the same?

References:
http://seclists.org/oss-sec/2017/q2/452
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10140.html
https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch
https://bugzilla.redhat.com/show_bug.cgi?id=1464032#c9
Comment 1 Eddie Chapman 2017-11-22 08:43:13 UTC
Just tested the Fedora patch (added an epatch line to the latest stable db-5.3.28-r2.ebuild) and saw that it was applied, which it did without error, and it built and installed fine. Haven't tested other versions.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-22 16:33:49 UTC
(In reply to Eddie Chapman from comment #1)

Thanks for the report Eddie, CCing maintainers to let them know about this.

@Maintainers please confirm if we are affected,
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2017-11-22 19:10:44 UTC
Looks ok, but I'm worried about subtle breakage by consumers. I need to check if DB_HOME is set in those cases (openldap berkdb mostly).
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-22 19:16:05 UTC
(In reply to Robin Johnson from comment #3)
> Looks ok, but I'm worried about subtle breakage by consumers. I need to
> check if DB_HOME is set in those cases (openldap berkdb mostly).

Thanks, please call for stabilization when a fixed version is available.