http://bugzilla.gnome.org/show_bug.cgi?id=391970 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405197 See the gnome bug for the patch. libsoup is missing some input sanitizing when parsing HTTP headers - in this case a binary 0 (\0x00) causes a crash. Debian says the bug is not exploitable for anything other than a crash - initial discovery was via rhythmbox using the daap plugin.
setting status and cc'ing herd.
libsoup-2.2.99 is in the tree now as ~arch, which includes the fix for upstream bug 391970 as linked above. If this bug is considered a security fix that should get quick stabilization, please CC arches yourself or let me know to do that.
@comment #2 - Do we want to stabilize a patch on any of the lower versions? I recall something about 2.2.9x being a development branch?
2.2.9x versions have been the minimum for GNOME since GNOME-2.14 - ftp://ftp.gnome.org/pub/GNOME/teams/releng/2.14.0/versions We have 2.16 stable now. So apparently upstream considers it stable. Plus many of the (stabilized) libsoup users in the tree demand at least 2.2.90. As for SLOT=0 (1.99.28), I hope to get rid of that completely very soon, though users will have to notice to uninstall it themselves, as nothing would force an unmerge through a block.
Understood. Arches, please test and mark stable: net-libs/libsoup-2.2.99 KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 ppc sparc x86"
amd64 stable first and the best! thanks
ppc64 stable
Created attachment 107068 [details] Test errors on Alpha I get arather impressive amount of test errors (537212952 to be precise :) on alpha using 2.2.99. 2.2.94 passes tests with no errors. I've attached test part of the emerge log. Any ideas what could cause this?
ppc stable
SPARC is seeing the same failures when it comes to testing as Alpha is in comment #8
Stable for HPPA with precisely 1076425976 test errors.
A negative amount failed on x86. header-parsing is a new test introduced with .99, as the ones also available in .98 pass successfully. -156140 errors FAIL: header-parsing
x86 stable, as the software works with libsoup...damn tests.
So? Should we ignore the testsuite? How about we start using RESTRICT="test" for known failures?
sparc stable and disabled tests in the ebuild since they're known broken.
Stable on Alpha and IA64.
glsa or no glsa?
/vote no, it's a client DoS.
I vote no.
I vote yes.
Another NO vote.
I don't know how I voted twice, with conflicting votes, but I really did mean to vote no.
noglsa feel free to reopen if you disagree