CVE-2023-43616 (https://github.com/schollz/croc/issues/594): An issue was discovered in Croc through 9.6.5. A sender can cause a receiver to overwrite files during ZIP extraction. CVE-2023-43617 (https://github.com/schollz/croc/issues/596): An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name. CVE-2023-43618 (https://github.com/schollz/croc/issues/597): An issue was discovered in Croc through 9.6.5. The protocol requires a sender to provide its local IP addresses in cleartext via an ips? message. CVE-2023-43619 (https://github.com/schollz/croc/issues/593): An issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a .ssh/authorized_keys file. CVE-2023-43620 (https://github.com/schollz/croc/issues/595): An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver. CVE-2023-43621 (https://github.com/schollz/croc/issues/598): An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments. All unfixed upstream.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78152d7c1255762e7a7623de16bee644f4aae414 commit 78152d7c1255762e7a7623de16bee644f4aae414 Author: Armas Spann <zappel@simple-co.de> AuthorDate: 2024-01-31 14:48:31 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2024-02-01 10:10:14 +0000 net-misc/croc: drop 9.6.2, 9.6.4 Bug: https://bugs.gentoo.org/918091 Closes: https://bugs.gentoo.org/893980 Signed-off-by: Armas Spann <zappel@simple-co.de> Closes: https://github.com/gentoo/gentoo/pull/35115 Signed-off-by: Maciej Barć <xgqt@gentoo.org> net-misc/croc/Manifest | 4 ---- net-misc/croc/croc-9.6.2.ebuild | 50 ----------------------------------------- net-misc/croc/croc-9.6.4.ebuild | 50 ----------------------------------------- 3 files changed, 104 deletions(-)
I applogize for my late response on this - But I think we need to "partially" re-open this ticket. As I've updated croc to version 9.6.6 - but none of the bugs mentioned in here are yet closed, see: https://github.com/schollz/croc/issues/593 - open (requested CVE update/clarification for 9.6.6) https://github.com/schollz/croc/issues/594 - open (requested CVE update/clarification for 9.6.6) https://github.com/schollz/croc/issues/595 - open (requested CVE update/clarification for 9.6.6) https://github.com/schollz/croc/issues/598 - open (requested CVE update/clarification for 9.6.6) https://github.com/schollz/croc/issues/596 - open: changed from "bug" to enhancement https://github.com/schollz/croc/issues/597 - open: changed from "bug" to enhancement From my PoV two of them were lowerd to beeing a "feature" instead a vulnerability, whilst the other 4 are still unfixed. Please let me know how we should proceed.
> I applogize for my late response on this - But I think we need to "partially" re-open this ticket. Thanks for noticing! We'll keep this open until they're fixed, or we can split unfixed bugs into another bug once some of them are fixed in-tree.
Thanks for your reply. I just saw the updates from 9.6.7 - 9.6.9 flew by since last week. I'll take care to update the ebuild as soon as possible and will inform you if they fixed it.
I have updated the summary version to reflect that we don't have a version in the repository where all vulnerabilities are fixed yet.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ade17527c6ef959b7cde6698aeebb00a6b6a74c3 commit ade17527c6ef959b7cde6698aeebb00a6b6a74c3 Author: Armas Spann <zappel@simple-co.de> AuthorDate: 2024-10-14 16:57:10 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2024-10-14 18:20:27 +0000 net-misc/croc: drop 9.6.15 Removal off obsolete croc-9.6.15, which was the last version containing some known CVEs which are fixed in croc >=9.6.16. See https://github.com/schollz/croc/releases/tag/v9.6.16 as a reference. Bug: https://bugs.gentoo.org/918091 Signed-off-by: Armas Spann <zappel@simple-co.de> Closes: https://github.com/gentoo/gentoo/pull/38989 Signed-off-by: Maciej Barć <xgqt@gentoo.org> net-misc/croc/Manifest | 2 -- net-misc/croc/croc-9.6.15.ebuild | 47 ---------------------------------------- 2 files changed, 49 deletions(-)