Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835093 (CVE-2022-26981, CVE-2022-31783) - <dev-libs/liblouis-3.22.0: multiple vulnerabilities
Summary: <dev-libs/liblouis-3.22.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-26981, CVE-2022-31783
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/liblouis/liblouis/...
Whiteboard: B3 [glsa+]
Keywords:
Depends on: 879999
Blocks:
  Show dependency tree
 
Reported: 2022-03-13 22:58 UTC by John Helmert III
Modified: 2023-01-11 05:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-13 22:58:41 UTC
CVE-2022-26981:

Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in compileTranslationTable.c (called, indirectly, by tools/lou_checktable.c).
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-02 21:58:01 UTC
CVE-2022-31783 (https://github.com/liblouis/liblouis/commit/ff747ec5e1ac54d54194846f6fe5bfc689192a85):
https://github.com/liblouis/liblouis/issues/1214

Liblouis 3.21.0 has an out-of-bounds write in compileRule in compileTranslationTable.c, as demonstrated by lou_trace.

The actual (unreleased) patch is: https://github.com/liblouis/liblouis/commit/2e4772befb2b1c37cb4b9d6572945115ee28630a
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-18 00:16:43 UTC
Both patches are in 3.22.0
Comment 4 Larry the Git Cow gentoo-dev 2022-08-18 00:55:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0d8d362d02f268871250ebeb1446dbe9bacfe5a

commit e0d8d362d02f268871250ebeb1446dbe9bacfe5a
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-08-18 00:06:50 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-18 00:55:15 +0000

    dev-libs/liblouis: add 3.22.0
    
    Bug: https://bugs.gentoo.org/835093
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-libs/liblouis/Manifest               |  1 +
 dev-libs/liblouis/liblouis-3.22.0.ebuild | 75 ++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-07 15:39:59 UTC
Please cleanup
Comment 6 Larry the Git Cow gentoo-dev 2022-11-22 17:00:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be785231506a1fcd7fe1492e3e6e842a93717c68

commit be785231506a1fcd7fe1492e3e6e842a93717c68
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-22 16:59:09 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-22 17:00:25 +0000

    dev-libs/liblouis: drop 3.17.0, 3.20.0, 3.22.0
    
    Bug: https://bugs.gentoo.org/835093
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 dev-libs/liblouis/Manifest               |  3 --
 dev-libs/liblouis/liblouis-3.17.0.ebuild | 75 --------------------------------
 dev-libs/liblouis/liblouis-3.20.0.ebuild | 75 --------------------------------
 dev-libs/liblouis/liblouis-3.22.0.ebuild | 75 --------------------------------
 4 files changed, 228 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 17:01:19 UTC
GLSA request filed
Comment 8 Larry the Git Cow gentoo-dev 2023-01-11 05:23:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=34441de4265fa8cf17547bd256447ecec4367521

commit 34441de4265fa8cf17547bd256447ecec4367521
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-01-11 05:18:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2023-01-11 05:22:05 +0000

    [ GLSA 202301-06 ] liblouis: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/835093
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202301-06.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-11 05:25:31 UTC
GLSA released, all done!