1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109300: gobgp: CVE-2025-7464

    From Salvatore Bonaccorso@21:1/5 to All on Mon Jul 14 22:20:01 2025
    Source: gobgp
    Version: 3.36.0-2
    Severity: important
    Tags: security upstream
    X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

    Hi,

    The following vulnerability was published for gobgp.

    CVE-2025-7464[0]:
    | A vulnerability classified as problematic has been found in osrg
    | GoBGP up to 3.37.0. Affected is the function SplitRTR of the file
    | pkg/packet/rtr/rtr.go. The manipulation leads to out-of-bounds read.
    | It is possible to launch the attack remotely. The complexity of an
    | attack is rather high. The exploitability is told to be difficult.
    | The name of the patch is e748f43496d74946d14fed85c776452e47b99d64.
    | It is recommended to apply a patch to fix this issue.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-7464
    https://www.cve.org/CVERecord?id=CVE-2025-7464
    [1] https://github.com/osrg/gobgp/commit/e748f43496d74946d14fed85c776452e47b99d64

    Please adjust the affected versions in the BTS as needed.

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Mathias Gibbens@21:1/5 to All on Tue Jul 15 11:40:01 2025
    AI-generated slop CVE originating from "CyberGym"[0,1].

    Claimed fix of the issue has been committed upstream for over a month
    and will be part of the next release. Until/unless upstream says
    otherwise, I don't see justification for the Security Team to waste any
    time on this.

    Mathias

    [0] -- https://www.cybergym.io/
    [1] -- https://vuldb.com/?id.316116

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEE1Bp60H32xfynSJ8cKe7i1uz0QvkFAmh2IGEACgkQKe7i1uz0 Qvmfnw/+J8JxGHvCUsg7mKRV6VsJ+YuhlEHVGQkvGiBPyUadPgvEWWT5+pdDkvlT pVTTd5WieeUdIbWIKKmiBJT4rc1agnGK5sJZV2l5RE3HGbb4dlfK+NG+0oGnEKcL 5gk1n1jmdRKdQjxgFpSjTqH+j9VZlgWggN6CiXm6fwr4ctY7KRFZGRMM82MjnEx6 WqYcfwTWhMzArZW72ijdIh5nWDFrWetx1EInoo/C3CPZ7OgVa7UYr8/Dl8q9k/UX UXlHYtBzHYoi0MhHle8Brlkz4TkPjQXLVQB0sxCYSfUkDrZo089SzMd7llLw+hAU IlNJ4L7D2a47Mr5o9tOrKJ+otw6FDV84as45kl60+CDl4MfslG5LNmFJfVFnEP5s cdOYOiuMx/3w6Y/Xrd8g1t/FafHmVdJLRNNfCdnoXOhzokZoLZ69q58UJDj1wVMG gnpM9ZNKiKzmWfKoQEYNSftDylamvG5BfDYwBkOWePFX+deYXZsIH/0fhacJ7VP6 zlSoPsrSC55rgfAHPaVA99q5CLBTdVOoCFaI5cmSveYLX2Thgn7qaC5z4d0mKpBW fOCOrgZxPL90ZNESdxhr351SZRKXHJEoJKvEX06OHvJnM09YX51AO+5ey0l3E6wy cGxef5ryECVlreIvnYlc7BRD6zY7M+VxhNi9NNuQyKjcXhUgdw8=
    =2smW
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Salvatore Bonaccorso@21:1/5 to Mathias Gibbens on Tue Jul 15 15:30:01 2025
    Hi Mathias,

    On Tue, Jul 15, 2025 at 09:33:21AM +0000, Mathias Gibbens wrote:
    AI-generated slop CVE originating from "CyberGym"[0,1].

    Oh well.

    Claimed fix of the issue has been committed upstream for over a month
    and will be part of the next release. Until/unless upstream says
    otherwise, I don't see justification for the Security Team to waste any
    time on this.

    Yes that is fine, thank you!

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)