CVE-2021-46141 (https://github.com/uriparser/uriparser/issues/121): An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner. CVE-2021-46142 (https://github.com/uriparser/uriparser/issues/122): An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax. Please bump to 0.9.6.
I guess you're officially faster than me :) Upstream release and Gentoo bump to 0.9.6 coming soon.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fe389bbf400ccbe9ee83697f55ddd9be611cac2 commit 6fe389bbf400ccbe9ee83697f55ddd9be611cac2 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2022-01-06 20:15:00 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2022-01-06 20:16:27 +0000 dev-libs/uriparser: 0.9.6 Bug: https://bugs.gentoo.org/830665 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-3.0.30, Repoman-3.0.3 dev-libs/uriparser/Manifest | 1 + dev-libs/uriparser/uriparser-0.9.6.ebuild | 57 +++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+)
Thanks! Please stable when ready.
(In reply to John Helmert III from comment #3) > Thanks! Please stable when ready. Green light from my side. How do I unlock the editbox with the package atom to stabilize in a security ticket like this one? Should I add arch teams (amd64 arm arm64 ppc sparc x86) for CC, only?
You should file a separate bug and block this one as described here: https://archives.gentoo.org/gentoo-dev-announce/message/66f1227144d451eac3c1f641771be557
(In reply to John Helmert III from comment #5) > You should file a separate bug and block this one as described here: > https://archives.gentoo.org/gentoo-dev-announce/message/ > 66f1227144d451eac3c1f641771be557 I see, thanks!
Should I delete vulnerable 0.9.5 now?
(In reply to Sebastian Pipping from comment #7) > Should I delete vulnerable 0.9.5 now? Please do!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33289e80e5ad2ce3a26a4cc6f1964df258e0e9ac commit 33289e80e5ad2ce3a26a4cc6f1964df258e0e9ac Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2022-01-08 15:01:37 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2022-01-08 15:01:37 +0000 dev-libs/uriparser: Drop vulnerable <0.9.6 Bug: https://bugs.gentoo.org/830665 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-3.0.30, Repoman-3.0.3 dev-libs/uriparser/Manifest | 1 - dev-libs/uriparser/uriparser-0.9.5.ebuild | 57 ------------------------------- 2 files changed, 58 deletions(-)