Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 658008 (CVE-2018-11496, CVE-2018-5650, CVE-2018-5747, CVE-2018-9058) - <app-arch/lrzip-0.631_p20190619: multiple vulnerabilities
Summary: <app-arch/lrzip-0.631_p20190619: multiple vulnerabilities
Alias: CVE-2018-11496, CVE-2018-5650, CVE-2018-5747, CVE-2018-9058
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor with 1 vote (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Reported: 2018-06-12 20:56 UTC by Florian Schuhmacher
Modified: 2020-04-18 10:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schuhmacher 2018-06-12 20:56:13 UTC
In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in read_stream in stream.c, because decompress_file in lrzip.c lacks certain size validation. 

Checked the source code the vuln seems to affect these versions too:

0.621 (stable) 0.630 (testing)

Gentoo Security Scout
Florian Schuhmacher
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2019-08-10 16:47:04 UTC




All fixed in master.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 19:26:12 UTC
Tree is clean!
Comment 3 NATTkA bot gentoo-dev 2020-04-12 19:30:42 UTC
Unable to check for sanity:

> dependent bug #624462 is missing keywords
Comment 4 NATTkA bot gentoo-dev 2020-04-13 14:41:32 UTC
Resetting sanity check; package list is empty or all packages are done.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 06:52:32 UTC
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].