1) CVE-2017-7476 Description: "Gnulib before 2017-04-26 has a heap-based buffer overflow with the TZ environment variable. The error is in the save_abbr function in time_rz.c." URL: https://bugzilla.redhat.com/show_bug.cgi?id=1444774 Patch: https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=94e01571507835ff59dd8ce2a0b56a4b566965a4 2) CVE-2018-17942 Description: "The convert_to_decimal function in vasnprintf.c in Gnulib before 2018-09-23 has a heap-based buffer overflow because memory is not allocated for a trailing '\0' character during %f processing." Patch: https://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commit;h=278b4175c9d7dd47c1a3071554aac02add3b3c35
If one of your packages blocks this bug, please investigate whether it contains a vulnerable version of gnulib -- or if it has in the past, so that we can act accordingly. Please be proactive and let us know about any other gnulib packages which seem to be missing from this tracker.
"due to": gnulib is intended to be embedded.
FYI: Pretty much all of these are false positives. Do not panic. I'll be checking these more thoroughly later but my script was not right. Having manually checked all the dependants so far, they are all clean. I will reopen any that need to be reopened / file new ones for packages not already listed, but I'll cover this. So do not worry. Thank you for any efforts so far, sorry for the hassle caused!
