197313 – Please stabilise app-editors/emacs-21.4-r14

Bug 197313 - Please stabilise app-editors/emacs-21.4-r14

Summary: Please stabilise app-editors/emacs-21.4-r14

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Emacs project

URL:
Whiteboard:
Keywords:	STABLEREQ

Depends on:	174880 174882
Blocks:
	Show dependency tree

Reported:	2007-10-28 18:48 UTC by Ulrich Müller
Modified:	2008-01-22 07:57 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ulrich Müller gentoo-dev

2007-10-28 18:48:53 UTC

"Emacs 21 allows user-assisted attackers to cause a denial of service (crash) via certain crafted images, as demonstrated via a GIF image in vm mode, related to image size calculation."

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2833>

Vulnerable versions: <21.4-r13
Unaffected versions: >=21.4-r13, <19

I'll commit a fixed emacs-21.4-r13.ebuild as soon as the new patchset is on the mirrors.

Comment 1 Ulrich Müller gentoo-dev

2007-10-28 20:32:43 UTC

Proposing A3 as severity level.

Arch teams: Please stabilise app-editors/emacs-21.4-r13.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-10-28 20:45:20 UTC

Thx for the notification Ulrich. However the Security Team normally doesn't handle simple crashes in client applications when users have to take action. Reassigning to maintainer.

Comment 3 Ulrich Müller gentoo-dev

2007-10-29 05:46:59 UTC

The only change between -r12 and -r13 is a small patch for handling of GIF images (14_all_gif-image-size.patch in the patchset). It is also included in Debian's version since some time: <http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=21;filename=emacs21-408929.patch;att=1;bug=408929>.

Therefore, I think it is still justified to stabilise -r13 immediately.

Comment 4 Christian Faulhammer (RETIRED) gentoo-dev

2007-10-30 09:54:10 UTC

x86 stable

Comment 5 Ferris McCormick (RETIRED) gentoo-dev

2007-10-30 11:53:14 UTC

Sparc stable, as it is also for emacs-22.1-r1.  (I wonder why emacs is slotted and I have two versions installed; must have missed something along the way.)

Comment 6 nixnut (RETIRED) gentoo-dev

2007-10-30 17:38:55 UTC

ppc stable

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2007-10-31 16:51:20 UTC

Stable for HPPA.

Comment 8 Raúl Porcel (RETIRED) gentoo-dev

2007-11-01 12:35:02 UTC

alpha/ia64 stable

Comment 9 Ulrich Müller gentoo-dev

2007-11-14 08:08:09 UTC

amd64 stable.

Comment 10 Brent Baude (RETIRED) gentoo-dev

2007-11-14 16:05:22 UTC

ppc64 stable

Comment 11 Ulrich Müller gentoo-dev

2007-12-09 11:28:57 UTC

emacs-21.4-r13 was removed because of bug #200297.
Please keyword and stabilise -r14 instead.

This fixes the following issues (as compared to -r4):
- portage temp strings embedded, bug #22563
- chmod: too few arguments, bug #85968
- libungif/libgif problem, bug #95961
- fonts when using X, bug #137598
- emerge segfaults, bug #153173
- correctly use aspell when having it installed, bug #158850
- install man pages properly, bug #164969
- man pages not available, bug #165466
- blessmail compilation failure, bug #166059
- man page file collisions, bug #167883
- user-installed subdirs.el is overridden, bug #169107
- libXaw dependency issue, bug #174453
- autoconf issues, bug #180082
- segfault in X menu, bug #180142
- crash on malformed GIF images (CVE-2007-2833), bug #197313
- buffer overflow in format function (CVE-2007-6109), bug #200297

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev

2007-12-11 09:32:20 UTC

arm stable