Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 714934 (CVE-2017-7476, CVE-2018-17942) - [TRACKER] Multiple vulnerabilities in embedded gnulib (CVE-2017-7476, CVE-2018-17942)
Summary: [TRACKER] Multiple vulnerabilities in embedded gnulib (CVE-2017-7476, CVE-201...
Alias: CVE-2017-7476, CVE-2018-17942
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Keywords: Tracker
Depends on: 713104 714936 714938 714940 714942 714944 714948 714950 714952 714954 714956 714958 714960 714962 714964 714966 714968 714970 714972 714974 714976 714978 714980 714982 714984 714986 714988 714990 714992
  Show dependency tree
Reported: 2020-03-26 22:19 UTC by Sam James
Modified: 2020-09-07 22:27 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 22:19:04 UTC
1) CVE-2017-7476

"Gnulib before 2017-04-26 has a heap-based buffer overflow with the TZ environment variable. The error is in the save_abbr function in time_rz.c."



2) CVE-2018-17942

"The convert_to_decimal function in vasnprintf.c in Gnulib before 2018-09-23 has a heap-based buffer overflow because memory is not allocated for a trailing '\0' character during %f processing."

Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 22:25:25 UTC
If one of your packages blocks this bug, please investigate whether it contains a vulnerable version of gnulib -- or if it has in the past, so that we can act accordingly.

Please be proactive and let us know about any other gnulib packages which seem to be missing from this tracker.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2020-03-27 05:34:05 UTC
"due to": gnulib is intended to be embedded.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-27 06:18:35 UTC
FYI: Pretty much all of these are false positives. Do not panic.

I'll be checking these more thoroughly later but my script was not right. Having manually checked all the dependants so far, they are all clean.

I will reopen any that need to be reopened / file new ones for packages not already listed, but I'll cover this. So do not worry. Thank you for any efforts so far, sorry for the hassle caused!