#20014: Findutils-4.2.31 includes a patch for a potential security problem in locate. When locate read an old-format database, it read file names into a fixed-length buffer allocated on the heap without checking for overflow. Although overflowing a heap buffer is often somewhat safer than overflowing a buffer on the stack, this bug still has potential security implications.
Base-system please advise and patch as necessary.
findutils-4.2.31 now in the tree
Thx Vapier. Arches please test and mark stable. Target keywords are: findutils-4.2.31.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
amd64 done
alpha/ia64/x86 stable
Stable for HPPA.
Marked ppc and ppc64
gentoo isn't actually affected by this issue, nor are most linux distros. from the ebuild: # Don't build or install locate because it conflicts with slocate, # which is a secure version of locate. See bug 18729 sed -i '/^SUBDIRS/s/locate//' Makefile.in
Thx Jonathan for clearing that up. Sorry for the noise.