First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 180538
Alias:
Product:
Component:
Status: RESOLVED
Resolution: INVALID
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 180538 depends on: Show dependency tree
Bug 180538 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-06-01 11:26 0000 
#20014: Findutils-4.2.31 includes a patch for a potential security
problem in locate.  When locate read an old-format database, it read
file names into a fixed-length buffer allocated on the heap without
checking for overflow.  Although overflowing a heap buffer is often
somewhat safer than overflowing a buffer on the stack, this bug still
has potential security implications.

------- Comment #1 From Sune Kloppenborg Jeppesen 2007-06-01 11:28:20 0000 ------- 
Base-system please advise and patch as necessary.

------- Comment #2 From SpanKY 2007-06-01 14:16:26 0000 ------- 
findutils-4.2.31 now in the tree

------- Comment #3 From Sune Kloppenborg Jeppesen 2007-06-02 14:13:19 0000 ------- 
Thx Vapier.

Arches please test and mark stable. Target keywords are:

findutils-4.2.31.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64
s390 sh sparc x86"

------- Comment #4 From Christoph Mende 2007-06-02 14:30:37 0000 ------- 
amd64 done

------- Comment #5 From Raúl Porcel 2007-06-02 14:47:19 0000 ------- 
alpha/ia64/x86 stable

------- Comment #6 From Jeroen Roovers 2007-06-02 14:56:11 0000 ------- 
Stable for HPPA.

------- Comment #7 From Luca Barbato 2007-06-02 19:15:40 0000 ------- 
Marked ppc and ppc64

------- Comment #8 From Jonathan Smith 2007-06-02 19:35:56 0000 ------- 
gentoo isn't actually affected by this issue, nor are most linux distros.

from the ebuild:
        # Don't build or install locate because it conflicts with slocate,
        # which is a secure version of locate.  See bug 18729
        sed -i '/^SUBDIRS/s/locate//' Makefile.in

------- Comment #9 From Sune Kloppenborg Jeppesen 2007-06-03 06:34:32 0000 ------- 
Thx Jonathan for clearing that up. Sorry for the noise.
First Last Prev Next    No search results available      Search page      Enter new bug