First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 119309
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Carsten Lohrke <carlo@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
antiword-0.37.ebuild updated ebuild text/plain Seemant Kulleen (RETIRED) 2006-01-18 06:01 0000 1.02 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 119309 depends on: Show dependency tree
Show dependency graph
Bug 119309 blocks:

Additional Comments: (this is where you put emerge --info)







View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-01-17 10:13 0000 
from DSA 945-1:

Javier Fern

------- Comment #1 From Carsten Lohrke 2006-01-17 10:13:51 0000 ------- 
from DSA 945-1:

Javier Fernández-Sanguino Peña from the Debian Security Audit project
discovered that two scripts in antiword, utilities to convert Word
files to text and Postscript, create a temporary file in an insecure
fashion.



0.36.1 is affected as well and the relevant parts of the patch below should
apply.

http://security.debian.org/pool/updates/main/a/antiword/antiword_0.35-2sarge1.diff.gz

------- Comment #2 From Sune Kloppenborg Jeppesen 2006-01-17 11:50:38 0000 ------- 
Seemant please provide an updated ebuild.

------- Comment #3 From Seemant Kulleen (RETIRED) 2006-01-18 06:01:54 0000 ------- 
Created an attachment (id=77417) [edit]
updated ebuild

updated ebuild -- see distfiles in /space/distfiles-local on toucan

------- Comment #4 From Seemant Kulleen (RETIRED) 2006-01-18 06:02:13 0000 ------- 
Sune: there it is.

------- Comment #5 From Seemant Kulleen (RETIRED) 2006-01-18 06:11:26 0000 ------- 
Actually, it's committed into cvs.  Please test and mark stable as appropriate.

------- Comment #6 From Thierry Carrez (RETIRED) 2006-01-18 07:02:23 0000 ------- 
Arches please test and mark stable
Target KEYWORDS="alpha amd64 ~hppa ppc ~ppc-macos ppc64 sparc x86"

------- Comment #7 From Tobias Scherbaum 2006-01-18 08:38:36 0000 ------- 
ppc stable

------- Comment #8 From Markus Rothe 2006-01-18 08:55:52 0000 ------- 
stable on ppc64

------- Comment #9 From Gustavo Zacarias (RETIRED) 2006-01-18 09:44:58 0000 ------- 
sparc stable.

------- Comment #10 From Paul Varner 2006-01-18 11:22:08 0000 ------- 
Stable on x86

------- Comment #11 From Simon Stelling (RETIRED) 2006-01-18 11:34:57 0000 ------- 
amd64 stable

------- Comment #12 From Jose Luis Rivero (yoswink) 2006-01-19 17:14:51 0000 ------- 
alpha stable. 

Sorry about the delay :(

------- Comment #13 From Stefan Cornelius (RETIRED) 2006-01-22 15:47:41 0000 ------- 
glsa vote for this one, tend to say yes.

------- Comment #14 From Tavis Ormandy (RETIRED) 2006-01-22 17:04:21 0000 ------- 
background: only the wrapper script to make drag and drop work for KDE1 users
is affected, ie if you use antiword from command line or in KDE3, you're safe.

so, as very few users are likely to be affected, i would vote NO.

------- Comment #15 From Stefan Cornelius (RETIRED) 2006-01-22 17:09:13 0000 ------- 
Correcting my vote to a no and closing the bug as fixed with no glsa. As
always, feel free to reopen if you disagree.
First Last Prev Next    No search results available      Search page      Enter new bug