Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 745474 (CVE-2020-8927) - <app-arch/brotli-1.0.9: Integer overflow when input chunk is larger than 2GiB in decoder (CVE-2020-8927)
Summary: <app-arch/brotli-1.0.9: Integer overflow when input chunk is larger than 2GiB...
Status: RESOLVED FIXED
Alias: CVE-2020-8927
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: 744124 746932
Blocks:
  Show dependency tree
 
Reported: 2020-09-29 22:21 UTC by Sam James
Modified: 2020-11-07 03:08 UTC (History)
1 user (show)

See Also:
Package list:
app-arch/brotli-1.0.9-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-09-29 22:21:29 UTC
Description:
"SECURITY: decoder: fix integer overflow when input chunk is larger than 2GiB (CVE-2020-8927)"
Comment 1 Sam James archtester gentoo-dev Security 2020-09-29 22:22:57 UTC
Ready to stable?
Comment 2 NATTkA bot gentoo-dev 2020-09-29 22:24:49 UTC
Unable to check for sanity:

> no match for package: app-arch/brotli-1.0.9
Comment 3 Sam James archtester gentoo-dev Security 2020-10-06 03:18:50 UTC
arm done
Comment 4 Agostino Sarubbo gentoo-dev 2020-10-07 06:50:34 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-10-07 06:53:34 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-10-07 06:55:00 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-10-07 07:11:06 UTC
x86 stable
Comment 8 Sam James archtester gentoo-dev Security 2020-10-19 03:17:39 UTC
Could you restrict tests because they are known not working for now btw? Thanks!
Comment 9 Craig Andrews gentoo-dev 2020-10-19 14:36:51 UTC
(In reply to Sam James from comment #8)
> Could you restrict tests because they are known not working for now btw?
> Thanks!

Absolutely - I have now done so.
Comment 10 Sam James archtester gentoo-dev Security 2020-10-20 04:57:53 UTC
arm64 done
Comment 11 Sam James archtester gentoo-dev Security 2020-10-20 14:39:29 UTC
(In reply to Craig Andrews from comment #9)
> (In reply to Sam James from comment #8)
> > Could you restrict tests because they are known not working for now btw?
> > Thanks!
> 
> Absolutely - I have now done so.

Thank you :)
Comment 12 Rolf Eike Beer 2020-10-29 22:09:16 UTC
hppa stable
Comment 13 Sam James archtester gentoo-dev Security 2020-11-06 15:44:18 UTC
amd64 done

all arches done
Comment 14 Sam James archtester gentoo-dev Security 2020-11-06 20:18:43 UTC
Please cleanup, thanks!
Comment 15 Larry the Git Cow gentoo-dev 2020-11-06 20:39:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6335edf52c5dc2b569ad2192f60f675a1dc177b4

commit 6335edf52c5dc2b569ad2192f60f675a1dc177b4
Author:     Craig Andrews <candrews@gentoo.org>
AuthorDate: 2020-11-06 20:39:25 +0000
Commit:     Craig Andrews <candrews@gentoo.org>
CommitDate: 2020-11-06 20:39:37 +0000

    app-arch/brotli: Cleanup old versions
    
    Bug: https://bugs.gentoo.org/745474
    Package-Manager: Portage-3.0.9, Repoman-3.0.2
    Signed-off-by: Craig Andrews <candrews@gentoo.org>

 app-arch/brotli/Manifest               |  2 -
 app-arch/brotli/brotli-1.0.6-r1.ebuild | 80 ----------------------------------
 app-arch/brotli/brotli-1.0.7.ebuild    | 79 ---------------------------------
 3 files changed, 161 deletions(-)
Comment 16 John Helmert III gentoo-dev Security 2020-11-07 03:08:16 UTC
Thanks!