Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 905308 (CVE-2023-0341) - <app-text/editorconfig-core-c-0.12.6: arbitrary stack write
Summary: <app-text/editorconfig-core-c-0.12.6: arbitrary stack write
Status: IN_PROGRESS
Alias: CVE-2023-0341
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://litios.github.io/2023/01/14/C...
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 907644
Blocks:
  Show dependency tree
 
Reported: 2023-04-29 18:23 UTC by John Helmert III
Modified: 2024-04-05 09:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-29 18:23:29 UTC 
CVE-2023-0341 (https://github.com/editorconfig/editorconfig-core-c/commit/41281ea82fbf24b060a9f69b9c5369350fb0529e):

A stack buffer overflow exists in the ec_glob function of editorconfig-core-c before v0.12.6 which allowed an attacker to arbitrarily write to the stack and possibly allows remote code execution. editorconfig-core-c v0.12.6 resolved this vulnerability by bound checking all write operations over the p_pcre buffer.

URL is 404, but patch is above. Please bump to 0.12.6.
Comment 1 Larry the Git Cow gentoo-dev 2023-04-30 07:03:31 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc3eedc2af4a8481630f374e1542699ae1235e92

commit bc3eedc2af4a8481630f374e1542699ae1235e92
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-04-30 07:02:33 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-04-30 07:03:19 +0000

    app-text/editorconfig-core-c: add 0.12.6
    
    Bug: https://bugs.gentoo.org/905308
    Signed-off-by: Sam James <sam@gentoo.org>

 app-text/editorconfig-core-c/Manifest              |  1 +
 .../editorconfig-core-c-0.12.6.ebuild              | 51 ++++++++++++++++++++++
 2 files changed, 52 insertions(+)
Comment 2 Hans de Graaff gentoo-dev Security 2024-04-05 09:21:11 UTC 
commit 0fe4d955423d5499061f7d52ce90ab13d4d05b12
Author: Zac Medico <zmedico@gentoo.org>
Date:   Sat Mar 2 15:33:34 2024 -0800

    app-text/editorconfig-core-c: drop 0.12.5