CVE-2017-13760 (https://nvd.nist.gov/vuln/detail/CVE-2017-13760): In The Sleuth Kit (TSK) 4.4.2, fls hangs on a corrupt exfat image in tsk_img_read() in tsk/img/img_io.c in libtskimg.a. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2017-13756: In The Sleuth Kit (TSK) 4.4.2, opening a crafted disk image triggers infinite recursion in dos_load_ext_table() in tsk/vs/dos.c in libtskvs.a, as demonstrated by mmls. CVE-2017-13755: In The Sleuth Kit (TSK) 4.4.2, opening a crafted ISO 9660 image triggers an out-of-bounds read in iso9660_proc_dir() in tsk/fs/iso9660_dent.c in libtskfs.a, as demonstrated by fls.
*** Bug 635232 has been marked as a duplicate of this bug. ***
I confirm that the 4.4.2 in the tree is vulnerable to all three CVEs
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1029e7bca66676be009d086091823465f107bd2e commit 1029e7bca66676be009d086091823465f107bd2e Author: Göktürk Yüksek <gokturk@gentoo.org> AuthorDate: 2017-11-08 23:55:59 +0000 Commit: Göktürk Yüksek <gokturk@gentoo.org> CommitDate: 2017-11-08 23:55:59 +0000 app-forensics/sleuthkit: remove vulnerable version 4.4.2 #629352 This version is vulnerable to the following CVEs: CVE-2017-13755, CVE-2017-13756, CVE-2017-13760 Bug: https://bugs.gentoo.org/629352 Package-Manager: Portage-2.3.8, Repoman-2.3.2 app-forensics/sleuthkit/Manifest | 1 - app-forensics/sleuthkit/sleuthkit-4.4.2.ebuild | 175 ------------------------- 2 files changed, 176 deletions(-)}
I've pushed sleuthkit-4.5.0 which fixes all the tree CVEs.
(In reply to Göktürk Yüksek from comment #5) > I've pushed sleuthkit-4.5.0 which fixes all the tree CVEs. Thank you, could you please confirm if prior versions (especially 4.0.2) are vulnerable? if that's the case please call for stabilization when ready. If not please let us know to reassign whiteboard to reflect the real status. Thank you
@maintainer(s), Please set your keywords, package list and cc arches to start stabilization. Thank you. Gentoo Security Padawan (jmbailey/mbailey_j)
Arches, please proceed with the stabilization. @ChrisADR, I didn't see anything about prior versions in the CVEs. I'll more likely clean the prior versions after this stabilization.
amd64 stable
x86 stable
ppc stable
hppa stable
GLSA Vote: No @maintainer, please clean the vulnerable versions.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=15edf362028940ec8457c508320f17dbc1ef6a8b commit 15edf362028940ec8457c508320f17dbc1ef6a8b Author: Göktürk Yüksek <gokturk@gentoo.org> AuthorDate: 2018-04-23 21:51:26 +0000 Commit: Göktürk Yüksek <gokturk@gentoo.org> CommitDate: 2018-04-23 21:52:05 +0000 app-forensics/sleuthkit: clean up old & vulnerable #629352 Bug: https://bugs.gentoo.org/629352 Package-Manager: Portage-2.3.27, Repoman-2.3.9 app-forensics/sleuthkit/Manifest | 4 -- .../files/sleuthkit-3.2.3-tools-shared-libs.patch | 55 ---------------------- .../files/sleuthkit-4.0.0-system-sqlite.patch | 34 ------------- .../files/sleuthkit-4.1.0-system-sqlite.patch | 34 ------------- app-forensics/sleuthkit/sleuthkit-4.0.2.ebuild | 39 --------------- app-forensics/sleuthkit/sleuthkit-4.1.0.ebuild | 38 --------------- app-forensics/sleuthkit/sleuthkit-4.1.2.ebuild | 38 --------------- app-forensics/sleuthkit/sleuthkit-4.1.3.ebuild | 38 --------------- 8 files changed, 280 deletions(-)}