Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 834456 (CVE-2022-26291, CVE-2022-28044) - <app-arch/lrzip-0.650: Multiple vulnerabilities
Summary: <app-arch/lrzip-0.650: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-26291, CVE-2022-28044
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa? cleanup]
Keywords:
: 836350 (view as bug list)
Depends on: 836957
Blocks:
  Show dependency tree
 
Reported: 2022-03-02 02:30 UTC by Sam James
Modified: 2022-04-16 05:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-02 02:30:58 UTC 
Upstream's release notes/blog post [0] note that some of the fixes in this release may have security implications:

"A number of accumulated bug reports had collected since the last lrzip release and since I regularly use lrzip I want to make sure it stays bug free as far as I am aware, even if I'm not planning any new features for it. As some of the changes are potentially security fixes, I urge any user to update."

[0] https://ck-hack.blogspot.com/2022/02/lrzip-version-0650.html
Comment 1 Larry the Git Cow gentoo-dev 2022-03-02 02:31:21 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61c003d081de7195408fb32386a7afdf4ec8b5b2

commit 61c003d081de7195408fb32386a7afdf4ec8b5b2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-03-02 02:29:49 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-02 02:31:03 +0000

    app-arch/lrzip: add 0.650
    
    Bug: https://bugs.gentoo.org/834456
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/lrzip/Manifest           |  1 +
 app-arch/lrzip/lrzip-0.650.ebuild | 51 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
Comment 2 Joe Kappus 2022-03-08 23:58:50 UTC 
Con just released 0.651: https://ck-hack.blogspot.com/2022/03/lrzip-version-0651.html
Comment 3 Larry the Git Cow gentoo-dev 2022-03-11 11:01:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9923950a8fb3c067c6102f7175b94ecc1cbbdfaf

commit 9923950a8fb3c067c6102f7175b94ecc1cbbdfaf
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-03-11 09:19:46 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-03-11 11:00:55 +0000

    app-arch/lrzip: add 0.651
    
    Not thought to fix any further vulnerabilities but it's a better
    stable candidate.
    
    Bug: https://bugs.gentoo.org/834456
    Signed-off-by: Sam James <sam@gentoo.org>

 app-arch/lrzip/Manifest           |  1 +
 app-arch/lrzip/lrzip-0.651.ebuild | 51 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-29 09:15:18 UTC 
*** Bug 836350 has been marked as a duplicate of this bug. ***
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-14 16:56:20 UTC 
Please cleanup
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-16 05:03:35 UTC 
CVE-2022-28044 (https://github.com/ckolivas/lrzip/issues/216):

Irzip v0.640 was discovered to contain a heap memory corruption via the component lrzip.c:initialise_control.