CVE-2023-25222: A heap-based buffer overflow vulnerability exits in GNU LibreDWG v0.12.5 via the bit_read_RC function at bits.c. Fix is in 0.12.5.5016, I suppose we need a bump?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e8d02fce183569d91b4eaeefddd9fc9f3280d64 commit 4e8d02fce183569d91b4eaeefddd9fc9f3280d64 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2023-05-01 13:13:19 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2023-05-01 13:15:57 +0000 media-gfx/libredwg: add 0.12.5.5487 Should fix CVE-2022-45332 and CVE-2022-45332. The patch for CVE-2022-35164 is still not merged to master yet because apparently there are some problems with this patch. Bug: https://bugs.gentoo.org/905327 Bug: https://bugs.gentoo.org/856034 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> media-gfx/libredwg/Manifest | 1 + media-gfx/libredwg/libredwg-0.12.5.5487.ebuild | 113 +++++++++++++++++++++++++ 2 files changed, 114 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff4e76bd91741c20f4c93c94dfb3366c5df24737 commit ff4e76bd91741c20f4c93c94dfb3366c5df24737 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2023-06-27 12:03:59 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2023-06-27 12:06:11 +0000 media-gfx/libredwg: add 0.12.5.5865 patch for CVE-2022-35164 is in this version Bug: https://bugs.gentoo.org/856034 Bug: https://bugs.gentoo.org/905327 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> media-gfx/libredwg/Manifest | 1 + media-gfx/libredwg/libredwg-0.12.5.5865.ebuild | 113 +++++++++++++++++++++++++ 2 files changed, 114 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=155a3f7e540554ffd19e914cc8b54c9725522797 commit 155a3f7e540554ffd19e914cc8b54c9725522797 Author: Andrew Ammerlaan <andrewammerlaan@gentoo.org> AuthorDate: 2023-09-14 08:59:56 +0000 Commit: Andrew Ammerlaan <andrewammerlaan@gentoo.org> CommitDate: 2023-09-14 08:59:56 +0000 media-gfx/libredwg: drop 0.12.5-r1, 0.12.5.5865 Closes: https://bugs.gentoo.org/905443 Closes: https://bugs.gentoo.org/896222 Bug: https://bugs.gentoo.org/905327 Bug: https://bugs.gentoo.org/856034 Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org> media-gfx/libredwg/Manifest | 2 - media-gfx/libredwg/libredwg-0.12.5-r1.ebuild | 113 ------------------------- media-gfx/libredwg/libredwg-0.12.5.5865.ebuild | 113 ------------------------- 3 files changed, 228 deletions(-)
Thanks!