Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 652686 (CVE-2018-1000097) - <app-arch/sharutils-4.15.2-r1: Buffer overflow
Summary: <app-arch/sharutils-4.15.2-r1: Buffer overflow
Status: RESOLVED FIXED
Alias: CVE-2018-1000097
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://security-tracker.debian.org/t...
Whiteboard: A4 [noglsa cve]
Keywords:
Depends on: glibc-2.28-stable
Blocks:
  Show dependency tree
 
Reported: 2018-04-06 15:53 UTC by Ian Zimmerman
Modified: 2019-08-10 16:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Fix CVE-2018-1000097, heap buffer overflow in unshar (file_652686.txt,422 bytes, patch)
2018-12-28 11:43 UTC, Juan Carlos Perez
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2018-04-06 15:53:23 UTC
According to the summary at $URL:

Sharutils sharutils (unshar command) version 4.15.2 contains a Buffer Overflow vulnerability in Affected component on the file unshar.c at line 75, function looks_like_c_code. Failure to perform checking of the buffer containing input line. that can result in Could lead to code execution. This attack appear to be exploitable via Victim have to run unshar command on a specially crafted file..


Reproducible: Always
Comment 1 Juan Carlos Perez 2018-12-28 11:43:36 UTC
Created attachment 558684 [details, diff]
Fix CVE-2018-1000097, heap buffer overflow in unshar

From: Petr Pisar
Subject: Fix CVE-2018-1000097, heap buffer overflow in unshar
Bug-Debian: https://bugs.debian.org/893525
X-Debian-version: 1:4.15.2-3
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-03-12 06:49:01 UTC
This got lost in bugzilla due to no base-system cc, or classification. Re-surfacing!
Comment 3 Larry the Git Cow gentoo-dev 2019-03-13 12:03:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=648bdf9134d87d5d6ca086b742964b77c3da87d8

commit 648bdf9134d87d5d6ca086b742964b77c3da87d8
Author:     Andreas K. Hüttel <dilfridge@gentoo.org>
AuthorDate: 2019-03-13 12:02:46 +0000
Commit:     Andreas K. Hüttel <dilfridge@gentoo.org>
CommitDate: 2019-03-13 12:02:46 +0000

    app-arch/sharutils: Add patch for CVE-2018-1000097
    
    Bug: https://bugs.gentoo.org/652686
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>

 .../files/sharutils-4.15.2-CVE-2018-1000097.patch        | 16 ++++++++++++++++
 ...harutils-4.15.2.ebuild => sharutils-4.15.2-r1.ebuild} |  1 +
 2 files changed, 17 insertions(+)
Comment 4 Andreas K. Hüttel archtester gentoo-dev 2019-03-13 12:05:10 UTC
Let's stabilize this together with glibc in bug 674126
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-05-02 22:43:31 UTC
Please drop vulnerable