887269 – (CVE-2022-44940) <dev-util/patchelf-0.16.1: out of bounds read

Bug 887269 (CVE-2022-44940) - <dev-util/patchelf-0.16.1: out of bounds read

Summary: <dev-util/patchelf-0.16.1: out of bounds read

Status:	RESOLVED FIXED

Alias:	CVE-2022-44940

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A4 [noglsa]
Keywords:

Depends on:	887271
Blocks:
	Show dependency tree

Reported:	2022-12-19 23:54 UTC by John Helmert III
Modified:	2022-12-24 17:29 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-12-19 23:54:06 UTC

CVE-2022-44940 (https://github.com/NixOS/patchelf/pull/419):

Patchelf v0.9 was discovered to contain an out-of-bounds read via the function modifyRPath at src/patchelf.cc.

Patch in 0.16.0 onwards: https://github.com/NixOS/patchelf/commit/b751eeb137d71765b3c35c4210c1c3b64dcd3a32

Please stabilize >=0.16.0.

Comment 1 James Le Cuirot gentoo-dev

2022-12-24 17:23:13 UTC

0.17.0 has been stabilised and the old versions have been cleaned.

Comment 2 John Helmert III archtester

2022-12-24 17:29:22 UTC

OOB read with no apparent further impact. No GLSA, all done.