GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Thu Mar 19, 2020 10:26 pm Post subject: [ GLSA 202003-44 ] Binary diff |
 |
|
Gentoo Linux Security Advisory
Title: Binary diff: Heap-based buffer overflow (GLSA 202003-44)
Severity: high
Exploitable: local, remote
Date: 2020-03-19
Bug(s): #701848
ID: 202003-44
Synopsis
A heap-based buffer overflow in Binary diff might allow remote
attackers to execute arbitrary code.
Background
bsdiff and bspatch are tools for building and applying patches to binary
files.
Affected Packages
Package: dev-util/bsdiff
Vulnerable: < 4.3-r4
Unaffected: >= 4.3-r4
Architectures: All supported architectures
Description
It was discovered that the implementation of bspatch did not check for a
negative value on numbers of bytes read from the diff and extra streams.
Impact
A remote attacker could entice a user to apply a specially crafted patch
using bspatch, possibly resulting in execution of arbitrary code with the
privileges of the process or a Denial of Service condition.
Workaround
There is no known workaround at this time.
Resolution
All Binary diff users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-util/bsdiff-4.3-r4"
|
References
CVE-2014-9862 |
|
News & Announcements
