Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605138 (CVE-2017-5208, CVE-2017-5331, CVE-2017-5332, CVE-2017-5333, CVE-2017-6009, CVE-2017-6010, CVE-2017-6011) - <media-gfx/icoutils-0.32.0: Multiple vulnerabilities
Summary: <media-gfx/icoutils-0.32.0: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-5208, CVE-2017-5331, CVE-2017-5332, CVE-2017-5333, CVE-2017-6009, CVE-2017-6010, CVE-2017-6011
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa cve]
Keywords:
: 610714 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-01-09 01:41 UTC by Thomas Deutschmann
Modified: 2018-01-25 00:34 UTC (History)
5 users (show)

See Also:
Package list:
=media-gfx/icoutils-0.32.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-01-09 01:41:12 UTC
From v0.31.1 changelog:

2017-01-08: icoutils 0.31.1 released.
  Security fixes:
    Colin Watson, Debian bug https://bugs.debian.org/850017
    Martin Gieseking, Fedora https://bugzilla.redhat.com/show_bug.cgi?id=1249276



@ Maintainer(s): Please bump to >=media-gfx/icoutils-0.31.1 and let us know when you are ready to stabilize.
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-11 03:53:57 UTC
from ${URL}:

> It turns out that this is not enough, so upstream has issued
> 
> http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=4fbe9222fd79ee31b7ec031b0be070a9a400d1d3
> 
> Could you please assign a further CVE for this follow up fix?

Use CVE-2017-5331.


> Furthermore I would like to ask if the following two commits from upstream,
> can have as well an identifier assigned:
> 
> http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
> http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a

Yes, but because these are immediately consecutive commits, the CVE
mapping may seem unusual.

Use CVE-2017-5332 for all of 1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
and also the index correction in
1a108713ac26215c7568353f6e02e727e6d4b24a. In other words, the change
from "entries[c]" to "entries[c-skipped]" in
1a108713ac26215c7568353f6e02e727e6d4b24a cannot have a new CVE ID
because the code was never "shipped" with "entries[c]" in use. There
aren't two independent problems related to establishing a maximum
allowable value of the size variable.

Use CVE-2017-5333 for the separate vulnerability fixed by the
introduction of the "size >= sizeof(uint16_t)*2" test in
1a108713ac26215c7568353f6e02e727e6d4b24a.
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2017-02-21 20:13:35 UTC
Further issues found in 0.31.1 incoming
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-03-16 09:12:58 UTC
*** Bug 610714 has been marked as a duplicate of this bug. ***
Comment 4 Larry the Git Cow gentoo-dev 2017-10-29 17:42:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11af7de2cc8e6ff58ed74e58709a91a630bb4dc1

commit 11af7de2cc8e6ff58ed74e58709a91a630bb4dc1
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2017-10-29 17:39:39 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2017-10-29 17:42:14 +0000

    media-gfx/icoutils: Bump to v0.32.0
    
    Thanks to Marty Plummer for the musl build fix (bug #631360).
    
    Closes: https://github.com/gentoo/gentoo/pull/5393
    Fixes: https://bugs.gentoo.org/631360
    Bug: https://bugs.gentoo.org/605138
    Closes: https://bugs.gentoo.org/635814
    
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 media-gfx/icoutils/Manifest               |  1 +
 media-gfx/icoutils/icoutils-0.32.0.ebuild | 49 +++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)}
Comment 5 Thomas Deutschmann gentoo-dev Security 2017-10-29 17:44:28 UTC
@ Arches,

please test and mark stable: =media-gfx/icoutils-0.32.0
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-10-29 21:09:52 UTC
x86 stable
Comment 7 Manuel Rüger gentoo-dev 2017-11-02 10:30:41 UTC
Stable on amd64
Comment 8 Sergei Trofimovich gentoo-dev 2017-11-12 10:41:15 UTC
ppc stable
Comment 9 D'juan McDonald (domhnall) 2018-01-05 03:33:19 UTC
All supported arches stabilized. @maintainer(s), proceed to cleanup, thank you.


Gentoo Security Padawan
(Jmbailey/mbailey_j)
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2018-01-11 23:00:19 UTC
This issue was resolved and addressed in
 GLSA 201801-12 at https://security.gentoo.org/glsa/201801-12
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Thomas Deutschmann gentoo-dev Security 2018-01-11 23:03:08 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <media-gfx/icoutils-0.32.0!