First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 109997
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Thierry Carrez (RETIRED) <koon@gentoo.org>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 109997 depends on: Show dependency tree
Show dependency graph
Bug 109997 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-10-21 01:17 0000 
Chris Evans discovered that libungif 4.1.4 fixed potentially sensitive issues
that may be used to execute arbitrary code.

These issues were initially discovered by Daniel Eisenbud and silently fixed in
4.1.4.

------- Comment #1 From Thierry Carrez (RETIRED) 2005-10-21 01:20:57 0000 ------- 
Mamoru: this is a semi-public issue, could you silently add 4.1.4 to the tree
so
that we are ready to disclose it by the coordinated date (2005/10/28, 1400 UTC)

------- Comment #2 From SpanKY 2005-10-21 06:50:15 0000 ------- 
libungif is dead

only giflib should be updated and libungif should be masked

------- Comment #3 From Thierry Carrez (RETIRED) 2005-10-21 08:49:21 0000 ------- 
Release date is now set to 2005/11/03

------- Comment #4 From Thierry Carrez (RETIRED) 2005-10-28 00:37:51 0000 ------- 
CVE Ids :
CVE-2005-2974 libungif NULL pointer deref
CVE-2005-3350 libungif OOB access

usata/vapier: please bump

------- Comment #5 From SpanKY 2005-10-28 16:12:56 0000 ------- 
giflib-4.1.4 now in portage

------- Comment #6 From Thierry Carrez (RETIRED) 2005-10-29 02:29:55 0000 ------- 
Ccing security liaisons...
Please test and mark 4.1.4 stable, so that's the ebuild is ready at GLSA release
time.

------- Comment #7 From Michael Hanselmann (hansmi) (RETIRED) 2005-10-29 08:55:52 0000 ------- 
Stable on ppc and hppa.

------- Comment #8 From Bryan Østergaard (RETIRED) 2005-10-29 12:53:56 0000 ------- 
Stable on alpha.

------- Comment #9 From Simon Stelling (RETIRED) 2005-10-30 02:53:24 0000 ------- 
amd64 stable

------- Comment #10 From Gustavo Zacarias (RETIRED) 2005-10-31 07:21:27 0000 ------- 
sparc stable.

------- Comment #11 From Brent Baude 2005-10-31 07:45:23 0000 ------- 
Marked ppc64 stable (and urt)

------- Comment #12 From Thierry Carrez (RETIRED) 2005-11-03 02:53:58 0000 ------- 
Adding halcyon to handle x86 stable marking.

------- Comment #13 From Mark Loeser 2005-11-03 11:56:03 0000 ------- 
x86 stable

------- Comment #14 From Thierry Carrez (RETIRED) 2005-11-04 00:32:48 0000 ------- 
Embargo ended, ready to send.

------- Comment #15 From Thierry Carrez (RETIRED) 2005-11-04 00:44:26 0000 ------- 
mips should mark giflib-4.1.4 ~
ppc-macos should test and mark giflib-4.1.4 stable

------- Comment #16 From Thierry Carrez (RETIRED) 2005-11-04 00:45:05 0000 ------- 
Hm. in fact mips should even test and mark stable.

------- Comment #17 From Fabian Groffen 2005-11-04 02:39:30 0000 ------- 
I had to stable the follow packages to stable giflib-4.1.4:
urt-3.1b-r1
ghostscript-7.07.1-r10
media-fonts/gnu-gs-fonts-std-8.11

Note: I encountered bug #111455 but ignored it for now and stabled giflib.

------- Comment #18 From Thierry Carrez (RETIRED) 2005-11-04 04:34:10 0000 ------- 
GLSA 200511-03
mips should mark stable to benefit from GLSA

------- Comment #19 From Hardave Riar (RETIRED) 2005-11-20 02:14:59 0000 ------- 
Stable on mips.
First Last Prev Next    No search results available      Search page      Enter new bug