Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 786951 (CVE-2021-30218, CVE-2021-30219) - <dev-util/samurai-1.2-r2: multiple vulnerabilities
Summary: <dev-util/samurai-1.2-r2: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-30218, CVE-2021-30219
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2021-04-29 19:03 UTC by Sam James
Modified: 2022-07-15 03:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-29 19:03:27 UTC 
* CVE-2021-30218

Description:
"samurai 1.2 has a NULL pointer dereference in writefile() in util.c via a crafted build file."

Bug: https://github.com/michaelforney/samurai/issues/67

* CVE-2021-30219

Description:
"samurai 1.2 has a NULL pointer dereference in printstatus() function in build.c via a crafted build file."

Bug: https://github.com/michaelforney/samurai/issues/68
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-29 19:03:58 UTC 
(Patches in the linked bugs.)
Comment 2 Larry the Git Cow gentoo-dev 2021-04-29 19:50:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=68b485ff058af6b943ff6633724e3d2ddeb2c7b2

commit 68b485ff058af6b943ff6633724e3d2ddeb2c7b2
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-04-29 19:40:38 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-04-29 19:49:57 +0000

    dev-util/samurai: Security revbump to fix null pointer dereference
    
    Removed old
    
    Bug: https://bugs.gentoo.org/786951
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 .../files/samurai-1.2-null_pointer_fix.patch       | 26 ++++++++++++++++++++++
 .../{samurai-1.2.ebuild => samurai-1.2-r1.ebuild}  |  4 ++++
 2 files changed, 30 insertions(+)
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2021-04-29 19:51:14 UTC 
No stabilization required yet...
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-29 19:55:41 UTC 
thanks poly, all done!
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-13 18:39:58 UTC 
Resurrecting as the patch for CVE-2021-30218 wasn't actually added.

https://github.com/gentoo/gentoo/pull/26386
Comment 6 Larry the Git Cow gentoo-dev 2022-07-15 02:14:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8cc59eb3b6d73b67c17da03342dac6b241451cce

commit 8cc59eb3b6d73b67c17da03342dac6b241451cce
Author:     orbea <orbea@riseup.net>
AuthorDate: 2022-07-13 15:10:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-07-15 02:13:56 +0000

    dev-util/samurai: Add patch for CVE-2021-30218
    
    Also updates to EAPI 8.
    
    Bug: https://bugs.gentoo.org/786951
    Upstream-Commit: https://github.com/michaelforney/samurai/commit/e84b6d99c85043fa1ba54851ee500540ec206918
    Upstream-Issue: https://github.com/michaelforney/samurai/issues/67
    Signed-off-by: orbea <orbea@riseup.net>
    Closes: https://github.com/gentoo/gentoo/pull/26386
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/samurai-1.2-null_pointer_fix.patch       | 36 +++++++++++++++++++++-
 ...samurai-1.2-r1.ebuild => samurai-1.2-r2.ebuild} |  6 ++--
 dev-util/samurai/samurai-9999.ebuild               |  4 +--
 3 files changed, 40 insertions(+), 6 deletions(-)
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-07-15 03:37:26 UTC 
All done, thanks!