Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830665 (CVE-2021-46141, CVE-2021-46142) - <dev-libs/uriparser-0.9.6: multiple vulnerabilities
Summary: <dev-libs/uriparser-0.9.6: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2021-46141, CVE-2021-46142
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 830711
Blocks:
  Show dependency tree
 
Reported: 2022-01-06 07:32 UTC by John Helmert III
Modified: 2022-01-08 20:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2022-01-06 07:32:58 UTC
CVE-2021-46141 (https://github.com/uriparser/uriparser/issues/121):

An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriFreeUriMembers and uriMakeOwner.

CVE-2021-46142 (https://github.com/uriparser/uriparser/issues/122):

An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.

Please bump to 0.9.6.
Comment 1 Sebastian Pipping gentoo-dev 2022-01-06 15:51:58 UTC
I guess you're officially faster than me :)  Upstream release and Gentoo bump to 0.9.6 coming soon.
Comment 2 Larry the Git Cow gentoo-dev 2022-01-06 20:17:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6fe389bbf400ccbe9ee83697f55ddd9be611cac2

commit 6fe389bbf400ccbe9ee83697f55ddd9be611cac2
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2022-01-06 20:15:00 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2022-01-06 20:16:27 +0000

    dev-libs/uriparser: 0.9.6
    
    Bug: https://bugs.gentoo.org/830665
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-3.0.30, Repoman-3.0.3

 dev-libs/uriparser/Manifest               |  1 +
 dev-libs/uriparser/uriparser-0.9.6.ebuild | 57 +++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+)
Comment 3 John Helmert III gentoo-dev Security 2022-01-06 21:59:35 UTC
Thanks! Please stable when ready.
Comment 4 Sebastian Pipping gentoo-dev 2022-01-06 22:52:03 UTC
(In reply to John Helmert III from comment #3)
> Thanks! Please stable when ready.

Green light from my side.
How do I unlock the editbox with the package atom to stabilize in a security ticket like this one?  Should I add arch teams (amd64 arm arm64 ppc sparc x86) for CC, only?
Comment 5 John Helmert III gentoo-dev Security 2022-01-06 23:23:08 UTC
You should file a separate bug and block this one as described here: https://archives.gentoo.org/gentoo-dev-announce/message/66f1227144d451eac3c1f641771be557
Comment 6 Sebastian Pipping gentoo-dev 2022-01-06 23:44:21 UTC
(In reply to John Helmert III from comment #5)
> You should file a separate bug and block this one as described here:
> https://archives.gentoo.org/gentoo-dev-announce/message/
> 66f1227144d451eac3c1f641771be557

I see, thanks!
Comment 7 Sebastian Pipping gentoo-dev 2022-01-08 01:58:45 UTC
Should I delete vulnerable 0.9.5 now?
Comment 8 John Helmert III gentoo-dev Security 2022-01-08 03:51:13 UTC
(In reply to Sebastian Pipping from comment #7)
> Should I delete vulnerable 0.9.5 now?

Please do!
Comment 9 Larry the Git Cow gentoo-dev 2022-01-08 15:02:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33289e80e5ad2ce3a26a4cc6f1964df258e0e9ac

commit 33289e80e5ad2ce3a26a4cc6f1964df258e0e9ac
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2022-01-08 15:01:37 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2022-01-08 15:01:37 +0000

    dev-libs/uriparser: Drop vulnerable <0.9.6
    
    Bug: https://bugs.gentoo.org/830665
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-3.0.30, Repoman-3.0.3

 dev-libs/uriparser/Manifest               |  1 -
 dev-libs/uriparser/uriparser-0.9.5.ebuild | 57 -------------------------------
 2 files changed, 58 deletions(-)