libebml: Heap buffer overflow vulnerability — GLSA 202208-21

A heap-based buffer overflow in libeml might allow attackers to execute arbitrary code.

Affected packages

dev-libs/libebml on the arm,ppc,sparc,x86 architecture
Affected versions < 1.4.2
Unaffected versions >= 1.4.2

Background

libebml is a C++ library to parse EBML files.

Description

On 32bit builds of libebml, the length of a string is miscalculated, potentially leading to an exploitable heap overflow.

Impact

An attacker able to provide arbitrary input to libebml could achieve arbitrary code execution.

Workaround

There is no known workaround at this time.

Resolution

Users of libebml on 32 bit architectures should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-libs/libebml-1.4.2"
 

References

Release date
August 14, 2022

Latest revision
August 14, 2022: 1

Severity
high

Exploitable
remote

Bugzilla entries