FS#68613 - [raptor] CVE-2017-18926
Attached to Project:
Arch Linux
Opened by Thomas Ludwig (adventurer) - Friday, 13 November 2020, 13:39 GMT
Last edited by David Runge (dvzrv) - Friday, 13 November 2020, 19:27 GMT
Opened by Thomas Ludwig (adventurer) - Friday, 13 November 2020, 13:39 GMT
Last edited by David Runge (dvzrv) - Friday, 13 November 2020, 19:27 GMT
|
Details
Description:
Today Hanno Böck writes on https://www.golem.de/news/linux-distributionen-warum-ein-sicherheitsfix-drei-jahre-nicht-ankam-2011-152105.html that he reported a vulnerability in the raptor library in 2017, specifically a buffer overflow which can lead to a heap corruption. There is a fix on the project's github site but unfortunately a new version hasn't been released since then. As a result this vulnerability has not been fixed in many Linux distributions. As far as I can see it's not fixed in Arch Linux as well. Additional info: * package version: raptor 2.0.15-13 * Hanno Böcks's bug report: https://www.openwall.com/lists/oss-security/2017/06/07/1 * CVE: https://nvd.nist.gov/vuln/detail/CVE-2017-18926 * The fix on the raptor github site: https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f * Debian Security Advisory: https://www.debian.org/security/2020/dsa-4785 * Ubuntu Security Advisory: https://ubuntu.com/security/notices/USN-4630-1 * Fedora security fix: https://src.fedoraproject.org/rpms/raptor2/c/4e07bafb07c4677607fa536cc940ba35e2cfd900?branch=master |
This task depends upon
Closed by David Runge (dvzrv)
Friday, 13 November 2020, 19:27 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with 2.0.15-14
Friday, 13 November 2020, 19:27 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with 2.0.15-14
I will fix this and the out-of-bounds read in an upcoming pkgrel bump.