FS#65971 - [bsdiff] [security] Unpatched integer range vulnerbilities

Attached to Project: Arch Linux
Opened by Mingye Wang (arthur2e5) - Wednesday, 25 March 2020, 07:15 GMT
Last edited by Antonio Rojas (arojas) - Friday, 27 January 2023, 07:30 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Kyle Keen (keenerd)
Levente Polyak (anthraxx)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


bsdiff (4.3-9) as currently packaged by Arch Linux is susceptible to a number of old vulnerbilities.

Links to vulnerbilities and patches:
* CVE-2014-9862. See https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp for patch.
* Integer overflow detected by ChromeOS fuzzer. See https://github.com/freebsd/freebsd/commit/d0260bc2831cae2689042b07f26b575bd6e5f65a for patch and https://android.googlesource.com/platform/external/bsdiff/+/6e40d9347586f0bc628295a0c581c95eeae0a234%5E%21/ for ChromeOS version.
* Unnamed memory corruption in FreeBSD. See https://github.com/freebsd/freebsd/commit/59381119a4c0b13088daea263ddd543d9bba5a16#diff-e337a2befd51c9e5715355c2fcbab673 for patch and https://gist.github.com/anonymous/e48209b03f1dd9625a992717e7b89c4f for exploit.

Steps to reproduce:
See links.
This task depends upon

Closed by  Antonio Rojas (arojas)
Friday, 27 January 2023, 07:30 GMT
Reason for closing:  Won't fix
Additional comments about closing:  Removed from repos
Comment by Mingye Wang (arthur2e5) - Wednesday, 25 March 2020, 07:47 GMT