CVE-2017-9928 (https://nvd.nist.gov/vuln/detail/CVE-2017-9928): In lrzip a stack buffer overflow was found in the function get_fileinfo in lrzip.c:979, which allows attackers to cause a denial of service via a crafted file. https://github.com/ckolivas/lrzip/issues/74 CVE-2017-9929 (https://nvd.nist.gov/vuln/detail/CVE-2017-9929) In lrzip a stack buffer overflow was found in the function get_fileinfo in lrzip.c:1074, which allows attackers to cause a denial of service via a crafted file. https://github.com/ckolivas/lrzip/issues/75
all fixed in master
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5847e32605457f4c68ac4f89bfaa28a9e6cfafd4 commit 5847e32605457f4c68ac4f89bfaa28a9e6cfafd4 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-10-26 23:35:49 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-10-26 23:35:49 +0000 app-arch/lrzip: bump to v0.631_p20190619 Bug: https://bugs.gentoo.org/624462 Package-Manager: Portage-2.3.78, Repoman-2.3.17 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-arch/lrzip/Manifest | 1 + app-arch/lrzip/lrzip-0.631_p20190619.ebuild | 50 +++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+)
x86 stable
amd64 stable
Looking good on ppc. # cat lrzip-624462.report USE tests started on Do 31. Okt 00:08:56 CET 2019 FEATURES=' test' USE='' succeeded for =app-arch/lrzip-0.631_p20190619 USE='-static-libs' succeeded for =app-arch/lrzip-0.631_p20190619 USE='static-libs' succeeded for =app-arch/lrzip-0.631_p20190619
arm stable
Looking good on ppc64. # cat lrzip-624462.report USE tests started on Do 31. Okt 18:52:56 CET 2019 FEATURES=' test' USE='' succeeded for =app-arch/lrzip-0.631_p20190619 USE='-static-libs' succeeded for =app-arch/lrzip-0.631_p20190619 USE='static-libs' succeeded for =app-arch/lrzip-0.631_p20190619 revdep tests started on Do 31. Okt 18:58:17 CET 2019 FEATURES=' test' USE='' succeeded for mail-filter/amavisd-new
ppc/ppc64 stable thanks to ernsteiswuerfel!
arm64 stable
hppa and sparc stable (last arches).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa1bb661056944dbd337445144911fab166a0e78 commit aa1bb661056944dbd337445144911fab166a0e78 Author: Sam James (sam_c) <sam@cmpct.info> AuthorDate: 2020-03-18 03:09:05 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-19 19:09:18 +0000 app-arch/lrzip: security cleanup (bug #624462) Dropping old versions; new fixed version has long since been stabilised. Bug: https://bugs.gentoo.org/624462 Signed-off-by: Sam James (sam_c) <sam@cmpct.info> Closes: https://github.com/gentoo/gentoo/pull/15000 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-arch/lrzip/Manifest | 2 -- app-arch/lrzip/lrzip-0.621.ebuild | 35 --------------------------------- app-arch/lrzip/lrzip-0.631-r1.ebuild | 38 ------------------------------------ 3 files changed, 75 deletions(-)
Tree is clean!
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
This issue was resolved and addressed in GLSA 202005-01 at https://security.gentoo.org/glsa/202005-01 by GLSA coordinator Thomas Deutschmann (whissi).