You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa Binary diff

Sigurnosni nedostatak programskog paketa Binary diff

by - 0

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 202003-44
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
https://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: High
Title: Binary diff: Heap-based buffer overflow
Date: March 19, 2020
Bugs: #701848
ID: 202003-44

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis
========

A heap-based buffer overflow in Binary diff might allow remote
attackers to execute arbitrary code.

Background
==========

bsdiff and bspatch are tools for building and applying patches to
binary files.

Affected packages
=================

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 dev-util/bsdiff < 4.3-r4 >= 4.3-r4

Description
===========

It was discovered that the implementation of bspatch did not check for
a negative value on numbers of bytes read from the diff and extra
streams.

Impact
======

A remote attacker could entice a user to apply a specially crafted
patch using bspatch, possibly resulting in execution of arbitrary code
with the privileges of the process or a Denial of Service condition.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Binary diff users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-util/bsdiff-4.3-r4”

References
==========

[ 1 ] CVE-2014-9862
https://nvd.nist.gov/vuln/detail/CVE-2014-9862

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202003-44

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2020 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

—–BEGIN PGP SIGNATURE—–

iQGTBAEBCgB9FiEEExKRzo+LDXJgXHuURObr3Jv2BVkFAl5zvMpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDEz
MTI5MUNFOEY4QjBENzI2MDVDN0I5NDQ0RTZFQkRDOUJGNjA1NTkACgkQRObr3Jv2
BVmz4gf7BsGsbKOP5MTR2xqI6PkVXp9h5TGJZ1mvnh5h5HVdmlMB3x2/0hYyVSS7
/mx7Q/wLo7KKNt/oKBEjppuSkpwXkBQ19eMv4t+KCpcjmcA1IknBQ90qndBJWCo6
8xto1it9ZTCvgRRlZIO+dW5NhFOnfiHbcNIVGAE6hV8Y7P1T35/8EIbpzUuBkVDt
ZtuiGzNuF8hc990Apxoa1tk5z/iDrNCp437BfV19MzP+kluGyprBxd4BMignZpYw
U23fh8s2EDzDtd4VYDEuaCFRtIhsCxFO+B75SQz8LW+vIUznGBQqAaAFxqGpCPXh
by92GvdCAM4nU4HMVQF9NIKV9LjUgA==
=iBwC
—–END PGP SIGNATURE—–

Top
More in Preporuke
Sigurnosni nedostatak jezgre operacijskog sustava

Otkriven je sigurnosni nedostatak jezgre operacijskog sustava Ubuntu. Otkriveni nedostatak potencijalnim napadačima omogućuje otkrivanje osjetljivih informacija. Savjetuje se ažuriranje izdanim...

Close