sleuthkit: Multiple vulnerabilities (CVE-2020-10232, CVE-2020-10233)

CVE-2020-10232: Stack buffer overflow vulnerability in yaffsfs_istat() in fs/yaffs.c.

In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a stack buffer overflow vulnerability in the YAFFS file timestamp parsing logic in yaffsfs_istat() in fs/yaffs.c.

References:

https://nvd.nist.gov/vuln/detail/CVE-2020-10232
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2020-10232

Patch:

https://github.com/sleuthkit/sleuthkit/commit/459ae818fc8dae717549810150de4d191ce158f1

CVE-2020-10233: Heap based buffer overead in ntfs_dinode_lookup() in fs/ntfs.c

In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a heap-based buffer over-read in ntfs_dinode_lookup in fs/ntfs.c.

References:

https://nvd.nist.gov/vuln/detail/CVE-2020-10233
https://github.com/sleuthkit/sleuthkit/issues/1829

Affected branches:

master (9aefdaee)
3.11-stable (3a7fc5cf)

Edited Mar 13, 2020 by Leo

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information