[Bug 1193874] New: VUL-0: CVE-2021-36977: matio: heap-based buffer overflow in H5MM_memcpy()
https://bugzilla.suse.com/show_bug.cgi?id=1193874 Bug ID: 1193874 Summary: VUL-0: CVE-2021-36977: matio: heap-based buffer overflow in H5MM_memcpy() Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other URL: https://smash.suse.de/issue/304598/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: badshah400@gmail.com Reporter: gabriele.sonnu@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- matio (aka MAT File I/O Library) 1.5.20 and 1.5.21 has a heap-based buffer overflow in H5MM_memcpy (called from H5MM_malloc and H5C_load_entry). References: https://bugzilla.redhat.com/show_bug.cgi?id=1984613 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36977 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31265 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36977 https://github.com/google/oss-fuzz-vulns/blob/main/vulns/matio/OSV-2021-440.... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1193874 https://bugzilla.suse.com/show_bug.cgi?id=1193874#c1 --- Comment #1 from Gabriele Sonnu <gabriele.sonnu@suse.com> --- Affected packages: - openSUSE:Backports:SLE-15-SP4/matio 1.5.21 - openSUSE:Factory/matio 1.5.21 No references to a fix for now. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1193874 Maintenance Robot <maint-coord+maintenance_robot@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1193874 https://bugzilla.suse.com/show_bug.cgi?id=1193874#c4 Atri Bhattacharya <badshah400@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |badshah400@gmail.com --- Comment #4 from Atri Bhattacharya <badshah400@gmail.com> --- (In reply to Luciano Santos from comment #2)
It seems this one felt through the cracks, so I've sent a request. I'd open a maintenance request (if help is welcomed in such cases) but I'm without a Linux box for now.
May be I am confused, but it seems the only thing your sr does is add the bug reference from b.o.o to a changelog entry. So, in reality, nothing actually fell through the cracks: the fix was submitted "May 6 19:31:33 UTC 2022", or am I missing something? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1193874 https://bugzilla.suse.com/show_bug.cgi?id=1193874#c5 --- Comment #5 from Luciano Santos <luc14n0@opensuse.org> --- (In reply to Atri Bhattacharya from comment #4)
(In reply to Luciano Santos from comment #2)
It seems this one felt through the cracks, so I've sent a request. I'd open a maintenance request (if help is welcomed in such cases) but I'm without a Linux box for now.
May be I am confused, but it seems the only thing your sr does is add the bug reference from b.o.o to a changelog entry. So, in reality, nothing actually fell through the cracks: the fix was submitted "May 6 19:31:33 UTC 2022", or am I missing something?
Hi Atri, yes, my SR only added this bug reference, so that the 1.5.23 Matio release could be forwarded to Leap 15.4 -- that's sitting on 1.5.21 --, and maybe even to Leap 15.3 -- 1.5.17 --, following the maintenance process [1]. I was even going to send the request myself, but the package maintainer took more than a month to accept my request and for a while I'm going to be without a Linux box until it gets fixed. Then, yeah, the fix reached Tumbleweed, but not Leap yet, as far as my digging skills can tell. That's what I'm referring to "falling through the cracks" here. Note that I don't have any particular interest to Matio or Leap. I saw this CVE bug without the bots screaming the usual "An update was released that references this bug ..." thing for Leap, while I was skimming through a series of bugs and got curious to know why. Saw this particular CVE being mentioned in the 1.5.23 Matio changes entry and decided to lend a hand, even though I'm not sure how *security updates* (VUL bugs) are handled for Leap, in details. [1] https://en.opensuse.org/openSUSE:Maintenance_update_process#Write_a_meaningf... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1193874 https://bugzilla.suse.com/show_bug.cgi?id=1193874#c6 --- Comment #6 from Luciano Santos <luc14n0@opensuse.org> --- Probably I should've cloned this bug for Leap 15.4, but I'm not certain about that either. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1193874 https://bugzilla.suse.com/show_bug.cgi?id=1193874#c7 --- Comment #7 from Atri Bhattacharya <badshah400@gmail.com> --- (In reply to Luciano Santos from comment #5)
Hi Atri, yes, my SR only added this bug reference, so that the 1.5.23 Matio release could be forwarded to Leap 15.4 -- that's sitting on 1.5.21 --, and maybe even to Leap 15.3 -- 1.5.17 --, following the maintenance process [1]. I was even going to send the request myself, but the package maintainer took more than a month to accept my request and for a while I'm going to be without a Linux box until it gets fixed.
Then, yeah, the fix reached Tumbleweed, but not Leap yet, as far as my digging skills can tell. That's what I'm referring to "falling through the cracks" here.
OK, just wanted to understand. I will submit an sr for matio against the maintained Leap projects tomorrow, if that is ok with you (as you are unable to right now). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1193874 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1193874 https://bugzilla.suse.com/show_bug.cgi?id=1193874#c10 --- Comment #10 from Swamp Workflow Management <swamp@suse.de> --- openSUSE-SU-2022:10235-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1193873,1193874 CVE References: CVE-2020-36428,CVE-2021-36977 JIRA References: Sources used: openSUSE Backports SLE-15-SP4 (src): matio-1.5.23-bp154.2.3.1 -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1193874 https://bugzilla.suse.com/show_bug.cgi?id=1193874#c11 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #11 from Marcus Meissner <meissner@suse.com> --- done -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com