Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 866401 (CVE-2022-36055) - <app-admin/helm-3.9.4: DoS via OOM panic
Summary: <app-admin/helm-3.9.4: DoS via OOM panic
Status: RESOLVED FIXED
Alias: CVE-2022-36055
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/helm/helm/security...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-08-24 20:09 UTC by John Helmert III
Modified: 2023-04-30 22:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-24 20:09:11 UTC
"Fuzz testing, provided by the CNCF, identified input to functions in the strvals package that can cause an out of memory panic. Out of memory panics cannot be recovered from. Applications that use functions from the strvals package in the Helm SDK can have a Denial of Service attack when they use this package and it panics."

Fix is in 3.9.4, please bump.
Comment 1 Larry the Git Cow gentoo-dev 2022-09-09 17:20:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2c41d36a874cba2f7adcc8f0aaa1f317c1ab6ac

commit a2c41d36a874cba2f7adcc8f0aaa1f317c1ab6ac
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-09-09 17:14:51 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-09-09 17:19:31 +0000

    app-admin/helm: add 3.9.4
    
    Bug: https://bugs.gentoo.org/866401
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-admin/helm/Manifest          |  2 ++
 app-admin/helm/helm-3.9.4.ebuild | 41 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-09 17:29:47 UTC
Thanks! Please stabilize when ready.
Comment 3 Ulrich Müller gentoo-dev 2022-11-29 12:17:41 UTC
(In reply to John Helmert III from comment #2)
> Thanks! Please stabilize when ready.

3.9.4 is stable since September.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-29 23:00:11 UTC
(In reply to Ulrich Müller from comment #3)
> (In reply to John Helmert III from comment #2)
> > Thanks! Please stabilize when ready.
> 
> 3.9.4 is stable since September.

Of course, nobody told the bug..
Comment 5 Larry the Git Cow gentoo-dev 2022-11-29 23:10:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3666d2e7ea144e78d67aa7b6d00c19c3fbc95a0

commit c3666d2e7ea144e78d67aa7b6d00c19c3fbc95a0
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-11-29 23:01:14 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-11-29 23:09:57 +0000

    app-admin/helm: drop 3.8.1
    
    Bug: https://bugs.gentoo.org/866401
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 app-admin/helm/Manifest          |  2 --
 app-admin/helm/helm-3.8.1.ebuild | 41 ----------------------------------------
 2 files changed, 43 deletions(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-30 22:14:49 UTC
Only DoS, only reachable from reverse dependencies. No GLSA.