- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 202003-44
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Binary diff: Heap-based buffer overflow
Date: March 19, 2020
Bugs: #701848
ID: 202003-44
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
A heap-based buffer overflow in Binary diff might allow remote
attackers to execute arbitrary code.
Background
bsdiff and bspatch are tools for building and applying patches to
binary files.
Affected packages
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-util/bsdiff < 4.3-r4 >= 4.3-r4
Description
It was discovered that the implementation of bspatch did not check for
a negative value on numbers of bytes read from the diff and extra
streams.
Impact
A remote attacker could entice a user to apply a specially crafted
patch using bspatch, possibly resulting in execution of arbitrary code
with the privileges of the process or a Denial of Service condition.
Workaround
There is no known workaround at this time.
Resolution
All Binary diff users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-util/bsdiff-4.3-r4'
References
[ 1 ] CVE-2014-9862
https://nvd.nist.gov/vuln/detail/CVE-2014-9862
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202003-44
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2020 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
binaryfate.asc
to your home directory.binaryfate.asc
by issuing the following command in a terminal:binaryfate.asc
and go back to section 2.1.hashes.txt
to your home directory.81AC 591F E9C4 B65C 5806 AFC3 F0AF 4D46 2A0B DF92
, as reflected in the output below.hashes.txt
and go back to section 3.1.SHA256
hash of your download, and verifying that it is correct.SHA256
hash of your downloaded Monero binary. As an example this guide will use the Linux, 64bit
GUI binary. Substitute monero-gui-linux-x64-v0.15.0.1.tar.bz2
with the name of the binary that you downloaded in section 4.1.SHA256
hash should match the one listed in the hashes.txt
file for your binary file.SHA256
hash of your downloaded Monero binary. As an example this guide will use the Windows, 64bit
GUI binary. Substitute monero-gui-win-x64-v0.15.0.1.zip
with the name of the binary that you downloaded in section 4.1.SHA256
hash should match the one listed in the hashes.txt
file for your binary file.