Bug#988024: hivex: CVE-2021-3504
Hi Hilko On Wed, May 05, 2021 at 12:06:09AM +0200, Hilko Bengen wrote: > * Salvatore Bonaccorso: > > > CVE-2021-3504[0]: > > | Buffer overflow when provided invalid node key length > > > > Making the severity RC as I think the fix needs to go into bullseye. > > Right. > > I contacted team@security.d.o a about the issue, including a proposed > hivex/1.3.18-1+deb10u1 for stable-security a few days ago, but I'm not > aware of getting an answer. Yes, we have not yet replied to it, saw the mail but there were more pressing issues to work on, sorry about that. A bit orthogonal to the choosen severity for this bug to make it land in bullseye, my gut feeling here is that we might just let the fix go in via an upcoming point release, instead of fixing it via a DSA. > Preparing a request for pre-approval/unblocking of 1.3.20-1 for the > release team now. Thank you sounds like a good plan and asw the pre-approval unblock request happened already, so thank you. Regards, Salvatore
Bug#988024: hivex: CVE-2021-3504
* Salvatore Bonaccorso: > CVE-2021-3504[0]: > | Buffer overflow when provided invalid node key length > > Making the severity RC as I think the fix needs to go into bullseye. Right. I contacted team@security.d.o a about the issue, including a proposed hivex/1.3.18-1+deb10u1 for stable-security a few days ago, but I'm not aware of getting an answer. Preparing a request for pre-approval/unblocking of 1.3.20-1 for the release team now. Cheers, -Hilko
Bug#988024: hivex: CVE-2021-3504
Source: hivex Version: 1.3.19-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for hivex. CVE-2021-3504[0]: | Buffer overflow when provided invalid node key length Making the severity RC as I think the fix needs to go into bullseye. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3504 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3504 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1949687 [2] https://listman.redhat.com/archives/libguestfs/2021-May/msg00013.html [3] https://github.com/libguestfs/hivex/commit/8f1935733b10d974a1a4176d38dd151ed98cf381 Please adjust the affected versions in the BTS as needed. Regards, Salvatore