1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202208-21 ] libebml: Heap buffer overflow vuln

    From glsamaker@gentoo.org@21:1/5 to All on Sun Aug 14 02:20:01 2022
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202208-21
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: High
    Title: libebml: Heap buffer overflow vulnerability
    Date: August 14, 2022
    Bugs: #772272
    ID: 202208-21

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A heap-based buffer overflow in libeml might allow attackers to execute arbitrary code.

    Background
    ==========

    libebml is a C++ library to parse EBML files.

    Affected packages
    =================

    -------------------------------------------------------------------
    Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
    1 dev-libs/libebml < 1.4.2 >= 1.4.2

    Description
    ===========

    On 32bit builds of libebml, the length of a string is miscalculated, potentially leading to an exploitable heap overflow.

    Impact
    ======

    An attacker able to provide arbitrary input to libebml could achieve arbitrary code execution.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    Users of libebml on 32 bit architectures should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-libs/libebml-1.4.2"

    References
    ==========

    [ 1 ] CVE-2021-3405
    https://nvd.nist.gov/vuln/detail/CVE-2021-3405

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202208-21

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2022 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmL4PVYACgkQFMQkOaVy +9mQtxAAtfpiWLScXQDRPUbuWlWvfeSSXjYtWgO3djZQsw9APvW/gBmU4uyUw8NJ F9ch1WiWsIbjqy33xggcTfjAsAWVUdKumDlktlCiH7lRxIJKyvmhEBSd1w/K2CWw B3+UAIXB6+rXDQW/izvXM/j5usXJJyeOqnyoC5KlkaTo2OuwUu+pBV90mv5DmTld dlkGncFyAk71p5Qc/DH5vU+xHKH6NPhDBZ+cglJ+cBe2tux0NuVFZnmPJ/RXwhg+ XPfQwOjwyfr8yl7wTdPxkheJeNzC46jSa6CYNdpGPBgqWl60CeI4vU1BByXys3xo uLibA3UVUU/fKePXGvQz8bTxQP+1UFUSF/p3Y5btr7awIzEYANzFy253s37c9EYo 0z0IXLWqzRHXwWPcQXYzxoA8C0XfA6hcCeBycJCH6D6RuIKK/OldhZHqAmnXDnZE PkUmcWUme7Oyu7GwZV+7S7TUuRiJq0DmPTMGPQqO1XkQskheCTk9Xos4sCMiPzDU ilCgtJKEouL/0kXKBsA04Wdg3DF69jizy2gw3iZqrTNbIDdW9GnBfU8VMCt+y4sp F+9uFB9f9T98CbwWWNgECh7vnajY6joahcWhe53k95isYQmJssY9w8UxVECKEUVH lmtCzdcsFiQpkPiIjSMorOwmFYdBNHdX0WMY+nt9E2n1VfU/CUM=
    =vqRG
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)