Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 711930 (CVE-2019-14531, CVE-2019-14532, CVE-2020-10232, CVE-2020-10233) - <app-forensics/sleuthkit-4.9.0: Multiple vulnerabilities (CVE-2019-{14531,14532}, CVE-2020-{10232,10233})
Summary: <app-forensics/sleuthkit-4.9.0: Multiple vulnerabilities (CVE-2019-{14531,145...
Status: RESOLVED FIXED
Alias: CVE-2019-14531, CVE-2019-14532, CVE-2020-10232, CVE-2020-10233
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 721154
Blocks: CVE-2018-11737, CVE-2018-11738, CVE-2018-11739, CVE-2018-11740, CVE-2018-19497 CVE-2019-1010065
  Show dependency tree
 
Reported: 2020-03-09 08:59 UTC by Sam James
Modified: 2020-06-20 01:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-09 08:59:11 UTC
1) CVE-2020-10232

Description:
"In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a stack buffer overflow vulnerability in the YAFFS file timestamp parsing logic in yaffsfs_istat() in fs/yaffs.c."

Patch: https://github.com/sleuthkit/sleuthkit/commit/459ae818fc8dae717549810150de4d191ce158f1

2) CVE-2020-10233

Description:
"In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a heap-based buffer over-read in ntfs_dinode_lookup in fs/ntfs.c."

Bug: https://github.com/sleuthkit/sleuthkit/issues/1829
Patch (PR): https://github.com/sleuthkit/sleuthkit/pull/1837
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-30 15:02:02 UTC
@maintainer(s), please create an appropriate ebuild
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-16 00:10:06 UTC
@maintainer(s): ping
Comment 3 Larry the Git Cow gentoo-dev 2020-05-06 00:07:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=811a39b416b02091e788a3788c6b3bad1396e4fb

commit 811a39b416b02091e788a3788c6b3bad1396e4fb
Author:     Göktürk Yüksek <gokturk@gentoo.org>
AuthorDate: 2020-05-06 00:01:59 +0000
Commit:     Göktürk Yüksek <gokturk@gentoo.org>
CommitDate: 2020-05-06 00:06:57 +0000

    app-forensics/sleuthkit: bump to 4.9.0
    
    Bug: https://bugs.gentoo.org/711930
    Package-Manager: Portage-2.3.69, Repoman-2.3.14
    Signed-off-by: Göktürk Yüksek <gokturk@gentoo.org>

 app-forensics/sleuthkit/Manifest               |   2 +
 app-forensics/sleuthkit/sleuthkit-4.9.0.ebuild | 298 +++++++++++++++++++++++++
 2 files changed, 300 insertions(+)
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-05-12 03:16:38 UTC
CVE-2019-14532 (https://nvd.nist.gov/vuln/detail/CVE-2019-14532):
  An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an
  off-by-one overwrite due to an underflow on tools/hashtools/hfind.cpp while
  using a bogus hash table.

CVE-2019-14531 (https://nvd.nist.gov/vuln/detail/CVE-2019-14531):
  An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an out of
  bounds read on iso9660 while parsing System Use Sharing Protocol data in
  fs/iso9660.c.
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-10 21:49:57 UTC
@maintainer(s), please cleanup
Comment 6 Larry the Git Cow gentoo-dev 2020-06-20 01:11:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f51fa4ab5df227dd66c3979406ce194968ff329c

commit f51fa4ab5df227dd66c3979406ce194968ff329c
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2020-06-20 01:11:03 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-20 01:11:03 +0000

    app-forensics/sleuthkit: drop vulnerable
    
    Bug: https://bugs.gentoo.org/690194
    Bug: https://bugs.gentoo.org/711930
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 app-forensics/sleuthkit/Manifest               |   7 -
 app-forensics/sleuthkit/sleuthkit-4.6.5.ebuild | 270 -----------------------
 app-forensics/sleuthkit/sleuthkit-4.6.6.ebuild | 270 -----------------------
 app-forensics/sleuthkit/sleuthkit-4.6.7.ebuild | 268 -----------------------
 app-forensics/sleuthkit/sleuthkit-4.7.0.ebuild | 289 ------------------------
 app-forensics/sleuthkit/sleuthkit-4.8.0.ebuild | 292 -------------------------
 6 files changed, 1396 deletions(-)