From $URL: A vulnerability was found in augeas <http://augeas.net/> that could allow attackers to cause memory corruption possibly leading to arbitrary code execution by passing crafted strings that would be mis-handled by parse_name(). A patch created by David Lutterkort is available on the following PR: https://github.com/hercules-team/augeas/pull/480 Briefly, input strings ending with a whitespace char would be escaped (aug_escape_name) then incorrectly trimmed in parse_name, leading to a later loop stepping over the terminating NUL character. Crashes in libvirtd were observed. This issue was discovered by Han Han (Red Hat) through fuzzing with the Dice testing framework. https://bugzilla.redhat.com/show_bug.cgi?id=1478373 -- Doran Moppert Red Hat Product Security
1.7.0-r1 and/or 1.8.0-r1 should be fast stablized (both have the patch). Older versions removed.
(In reply to Matthew Thode ( prometheanfire ) from comment #1) > 1.7.0-r1 and/or 1.8.0-r1 should be fast stablized (both have the patch). > Older versions removed. Thank you Matthew, please call for stabilization when necessary or let us know. Gentoo Security Padawan ChrisADR
please stablize the following =app-admin/augeas-1.8.1 alpha amd64 hppa ia64 ppc sparc x86
@Arches please test and mark stable. Gentoo Security Padawan ChrisADR
ia64 stable
Stable on alpha.
amd64/x86 stable
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
ppc stable
hppa stable
Thank you all. @Maintainers please clean the tree. @Security please vote
cleaned up
GLSA Vote: No