Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 184592 - dev-lang/erlang bundles internal zlib (CVE-2004-0797, CVE-2005-1849)
Summary: dev-lang/erlang bundles internal zlib (CVE-2004-0797, CVE-2005-1849)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Highest normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-07-08 10:43 UTC by Christian Faulhammer (RETIRED)
Modified: 2011-10-30 22:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Faulhammer (RETIRED) gentoo-dev 2007-07-08 10:43:31 UTC 
After becoming aware that erlang ships its internal copy of zlib (thanks to flameeyes), I checked the version included.  Current stable 11.2.1 has zlib 1.1.4 while the latest in testing (11.2.5) has 2.2.3 (current zlib).  Between that there have been fixed at least two security issues. 

See bug 99751 (A1) and bug 61749 (A3).  As zlib is patched, I cannot simply remove it and build against the system one, but upstream promised me to enable that in version 12. 

My proposal: Stabilise 11.2.5 immediately (no bug reports in the few days it has been in the tree).
Comment 1 Christian Faulhammer (RETIRED) gentoo-dev 2007-07-14 13:34:37 UTC 
Arches please stabilise dev-lang/erlang-11.2.5
Comment 2 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-15 22:01:23 UTC 
ppc stable
Comment 3 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-17 21:47:56 UTC 
sparc stable.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2007-07-18 05:48:26 UTC 
Changing status, as all arches are stable
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-18 06:07:13 UTC 
Thx Opfer.

I tend to vote NO.
Comment 6 Ulrich Müller gentoo-dev 2007-07-18 06:43:36 UTC 
CVE-2005-1849 and CVE-2004-0797 from the two originally cited zlib bugs are both denial-of-service attacks which IMHO means that this one is severity B3.
Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-18 07:34:59 UTC 
Thanks Ulrich. I vote NO.
Comment 8 Matt Drew (RETIRED) gentoo-dev 2007-07-24 10:56:47 UTC 
I vote no.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-24 11:32:04 UTC 
closing without glsa then. Feel free to reopen if you disagree, as always :)