Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 901089 (CVE-2022-40320) - <dev-libs/confuse-3.3-r2: Heap buffer overflow
Summary: <dev-libs/confuse-3.3-r2: Heap buffer overflow
Status: IN_PROGRESS
Alias: CVE-2022-40320
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa? cleanup]
Keywords: PullRequest
Depends on: 904536
Blocks:
  Show dependency tree
 
Reported: 2023-03-13 21:45 UTC by Vaibhav Rustagi
Modified: 2023-04-30 23:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vaibhav Rustagi 2023-03-13 21:45:58 UTC
CVE-2022-40320: cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffer over-read.
Comment 1 Vaibhav Rustagi 2023-03-13 21:49:00 UTC
Created a PR: https://github.com/gentoo/gentoo/pull/30104
Comment 2 Larry the Git Cow gentoo-dev 2023-03-13 23:27:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5dce806e4b3a04419f125938501990818739bbb8

commit 5dce806e4b3a04419f125938501990818739bbb8
Author:     Vaibhav Rustagi <vaibhavrustagi@google.com>
AuthorDate: 2023-03-13 21:33:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-03-13 23:27:02 +0000

    dev-libs/confuse: Add fix for CVE-2022-40320
    
    The source of libconfuse package didn't make a release since Jun 24,
    2020 (https://github.com/libconfuse/libconfuse). Therefore, to fix the
    CVE add a patch.
    
    [sam: adjust patch metadata, drop back to ~arch.]
    
    Bug: https://bugs.gentoo.org/901089
    Signed-off-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
    Closes: https://github.com/gentoo/gentoo/pull/30104
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/confuse/confuse-3.3-r2.ebuild             | 62 ++++++++++++++++++++++
 .../files/confuse-3.3-fix-CVE-2022-40320.patch     | 39 ++++++++++++++
 2 files changed, 101 insertions(+)