Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#68613 - [raptor] CVE-2017-18926

Attached to Project: Arch Linux
Opened by Thomas Ludwig (adventurer) - Friday, 13 November 2020, 13:39 GMT
Last edited by David Runge (dvzrv) - Friday, 13 November 2020, 19:27 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To David Runge (dvzrv)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Today Hanno Böck writes on https://www.golem.de/news/linux-distributionen-warum-ein-sicherheitsfix-drei-jahre-nicht-ankam-2011-152105.html that he reported a vulnerability in the raptor library in 2017, specifically a buffer overflow which can lead to a heap corruption. There is a fix on the project's github site but unfortunately a new version hasn't been released since then. As a result this vulnerability has not been fixed in many Linux distributions. As far as I can see it's not fixed in Arch Linux as well.


Additional info:
* package version: raptor 2.0.15-13
* Hanno Böcks's bug report: https://www.openwall.com/lists/oss-security/2017/06/07/1
* CVE: https://nvd.nist.gov/vuln/detail/CVE-2017-18926
* The fix on the raptor github site: https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f
* Debian Security Advisory: https://www.debian.org/security/2020/dsa-4785
* Ubuntu Security Advisory: https://ubuntu.com/security/notices/USN-4630-1
* Fedora security fix: https://src.fedoraproject.org/rpms/raptor2/c/4e07bafb07c4677607fa536cc940ba35e2cfd900?branch=master

This task depends upon

Closed by  David Runge (dvzrv)
Friday, 13 November 2020, 19:27 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed with 2.0.15-14
Comment by Thomas Ludwig (adventurer) - Friday, 13 November 2020, 14:24 GMT Comment by David Runge (dvzrv) - Friday, 13 November 2020, 19:03 GMT
@adventurer: Thanks for bringing this to our attention!

I will fix this and the out-of-bounds read in an upcoming pkgrel bump.

Loading...