Currently gentoo has media-libs/libextractor-0.5.4, upstream has released 0.5.6a. One problem with 0.5.6a is that although the source is available via http://gnunet.org/libextractor/ it hasnt been mirrored by GNU yet. The latest version mirrored by GNU is 0.5.6. Both 0.5.6 and 0.5.6a build fine for me on x86_64 (after i manually downloaded 0.5.6a) Possible actions - Simple version bump from 0.5.4 to 0.5.6 - Version bump to 0.5.6a and modify SRC_URI from GNU mirror to libextractor home page, then modify SRC_URI back once GNU mirrors catch up. - Stay with 0.5.4 untill GNU mirrors catch up and do version bump to 0.5.6a. I think it might be good enough to just go to 0.5.6 and hold of with 0.5.6a for a while. Reproducible: Always Steps to Reproduce: 1. 2. 3.
This relase fixes integer overflow. I don't know if it sourious bug, but ChangeLog mentions: Thu Sep 15 00:56:51 PDT 2005 Fixed incorrectly handled integer overflow in png extractor. Adding security to CC
net-p2p please bump.
(In reply to comment #2) > net-p2p please bump. this is already bumped. i suppose sekretarz just wanted to let you know about this overflow
x86 sparc: please test and mark 0.5.6a stable
Can't get marked stable until those dependencies are resolved. DEPEND.bad 1 media-libs/libextractor/libextractor-0.5.6a.ebuild: x86(default-linux/x86/2005.0) ['>=x11-libs/gtk+-2.6.10'] RDEPEND.bad 1 media-libs/libextractor/libextractor-0.5.6a.ebuild: x86(default-linux/x86/2005.0) ['>=x11-libs/gtk+-2.6.10'] This is a problem for both sparc and x86.
sparc stable.
x86 stable
Ready for GLSA vote. I would vote yes right away if I was sure there was an exploitable vulnerability fixed in this release. "Fixed incorrectly handled integer overflow in png extractor" doesn't mean there was something exploitable here. I wonder if that doesn't mean that the old fix was just a little dirty... Someone will have to look deeper.
Also waiting for further information before I can vote YES.
Hm. Really not sure about this one. I agree that pngextractor needed some fixorz, but not sure they patch something exploitable. Apparently Debian agrees with me since they pushed 0.5.6a without the security tag. To make your own mind, I'll attach the 0.5.6a file and the 0.5.5 -> 0.5.6a patchfile for pngextractor.c...
Created attachment 72019 [details, diff] pngextractor_0.5.5-0.5.6a.diff The fix in question (diff between the 0.5.5 and the 0.5.6a version of pngextractor.c)
Created attachment 72020 [details] pngextractor.c pngextractor.c from 0.5.6a
Created attachment 72023 [details, diff] pngextractor_0.5.5-0.5.6a.patch The unified one, so that taviso can read it :P
There does not appear to be any security impact here, marking CLOSED.