Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 901089 (CVE-2022-40320) - <dev-libs/confuse-3.3-r2: Heap buffer overflow
Summary: <dev-libs/confuse-3.3-r2: Heap buffer overflow
Alias: CVE-2022-40320
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa? cleanup]
Keywords: PullRequest
Depends on: 904536
  Show dependency tree
Reported: 2023-03-13 21:45 UTC by Vaibhav Rustagi
Modified: 2023-04-30 23:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Vaibhav Rustagi 2023-03-13 21:45:58 UTC
CVE-2022-40320: cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read.
Comment 1 Vaibhav Rustagi 2023-03-13 21:49:00 UTC
Created a PR:
Comment 2 Larry the Git Cow gentoo-dev 2023-03-13 23:27:18 UTC
The bug has been referenced in the following commit(s):

commit 5dce806e4b3a04419f125938501990818739bbb8
Author:     Vaibhav Rustagi <>
AuthorDate: 2023-03-13 21:33:11 +0000
Commit:     Sam James <>
CommitDate: 2023-03-13 23:27:02 +0000

    dev-libs/confuse: Add fix for CVE-2022-40320
    The source of libconfuse package didn't make a release since Jun 24,
    2020 ( Therefore, to fix the
    CVE add a patch.
    [sam: adjust patch metadata, drop back to ~arch.]
    Signed-off-by: Vaibhav Rustagi <>
    Signed-off-by: Sam James <>

 dev-libs/confuse/confuse-3.3-r2.ebuild             | 62 ++++++++++++++++++++++
 .../files/confuse-3.3-fix-CVE-2022-40320.patch     | 39 ++++++++++++++
 2 files changed, 101 insertions(+)