Gentoo Bug 109705 - media-libs/netpbm buffer overflow (CAN-2005-2978)

Description:

Opened: 2005-10-18 07:04 0000

CAN-2005-2978 :
RedHat discovered a buffer overflow in the netpbm utility pnmtopng.

Prepared ebuild should be committed direct to stable on the following archs :
alpha amd64 hppa ppc ppc64 sparc x86

Also media-libs/urt-3.1b-r1 should be pushed to ppc64 stable at the same time.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-10-18 07:05:38 0000 -------

*** Bug 107609 has been marked as a duplicate of this bug. ***

------- Comment #2 From Thierry Carrez (RETIRED) 2005-10-18 07:06:34 0000 -------

vapier: please commit your ebuild from bug 107609.

------- Comment #3 From Thierry Carrez (RETIRED) 2005-10-18 08:30:28 0000 -------

Hm. In fact 10.29 is fixed, so we should move to that.

Calling arch testers again (sorry bout that):
Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"

Stable any >=10.29 of your liking.

------- Comment #4 From Lares Moreau 2005-10-18 10:07:15 0000 -------

x86:
emerged 10.29-r1, without issue. 
this ebuild depends on media-libs/urt which is also unstable in this arch.

perhaps a bug for media-libs/urt stabilization is in order, to handle the
stablization of this dependency.

------- Comment #5 From SpanKY 2005-10-18 10:32:13 0000 -------

no one said 10.29-r1 needs to be the one stabilized

------- Comment #6 From Lares Moreau 2005-10-18 10:44:31 0000 -------

Thierry Carrez wrote: "Hm. In fact 10.29 is fixed, so we should move to that."

is not 10.29-r1 the logical package to stabilize?

------- Comment #7 From Michael Hanselmann (hansmi) (RETIRED) 2005-10-18 11:10:05 0000 -------

ppc and hppa done.

------- Comment #8 From Andrej Kacian (RETIRED) 2005-10-18 12:12:53 0000 -------

If you don't want 10.29-r1 stabilized, don't say things like "Stable any
>=10.29
of your liking." (comment #3). My liking was to stabilize 10.29-r1, because
changelog entry for that revision says it contains multiple fixes.

------- Comment #9 From SpanKY 2005-10-18 13:05:32 0000 -------

no

what is logical is that you move to whatever package is the easiest or whichever
version an arch team decides on

------- Comment #10 From Andrej Kacian (RETIRED) 2005-10-18 14:04:22 0000 -------

Oh, so we don't care about quality now, but about having to do least possible
amount of work now? Sorry I asked then.

------- Comment #11 From Andrej Kacian (RETIRED) 2005-10-18 14:25:30 0000 -------

10.29 stable on x86

------- Comment #12 From Bryan Østergaard (RETIRED) 2005-10-18 16:04:41 0000 -------

Alpha stable.

------- Comment #13 From Luis Medinas (RETIRED) 2005-10-18 16:21:53 0000 -------

amd64 done

------- Comment #14 From Brent Baude 2005-10-18 19:37:26 0000 -------

Marked 10.29 ppc64 stable

------- Comment #15 From Thierry Carrez (RETIRED) 2005-10-19 00:25:15 0000 -------

(In reply to comment #10)
> Oh, so we don't care about quality now, but about having to do least possible
> amount of work now? Sorry I asked then.

When multiple security-fixed versions are available, we (security) don't dictate
which fixed version the arch teams must choose. This is their choice to decide
which version is best fit for their arch stable tree. As long as the
vulnerability is fixed, we are ok with it. That's what vapier was trying to say
in his own words.

------- Comment #16 From Gustavo Zacarias (RETIRED) 2005-10-19 08:34:06 0000 -------

10.29 sparc stable.

------- Comment #17 From Thierry Carrez (RETIRED) 2005-10-20 04:43:09 0000 -------

GLSA 200510-18
mips should mark stable to benefit from GLSA

------- Comment #18 From Aaron Walker (RETIRED) 2005-10-21 05:14:42 0000 -------

10.29 stable on mips.

Bug 109705 depends on:			Show dependency tree Show dependency graph
Bug 109705 blocks:			Show dependency tree Show dependency graph

Bugzilla Bug 109705

media-libs/netpbm buffer overflow (CAN-2005-2978)

Last modified: 2005-10-21 05:14:42 0000