Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 213889
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Jeroen Roovers <jer@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 213889 depends on: Show dependency tree
Bug 213889 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-03-19 05:41 0000 
From the advisory:

   "The vulnerabilities described in this advisory can potentially affect 
    programs that handle the archive formats ACE, ARJ, BZ2, CAB, GZ, LHA,
    RAR, TAR, ZIP and ZOO."

Ignore the libarchive advisory for Gentoo - that's ancient. What certainly
appears to be needed is for the older app-arch/p7zip-4.55-r1 to be removed
(perhaps patched?).

------- Comment #1 From Robert Buchholz 2008-03-19 11:32:54 0000 ------- 
4.57 that is marked as not vulnerable by CERT-FI is in the tree and stable,
since january and march, see bug 207520 and bug 213595.

Removal of the affected versions would be nice, but is up to the maintainer.
For us, this now poses the question whether we send a GLSA. I'll inquire
upstream about impact.

------- Comment #2 From Radoslaw Stachowiak 2008-03-21 11:23:24 0000 ------- 
removed 4.55* from portage. 

who should close the bug now?

------- Comment #3 From Robert Buchholz 2008-03-21 12:27:44 0000 ------- 
We will, as soon as we know what the scope of the vulnerability is.

------- Comment #4 From Robert Buchholz 2008-04-01 17:17:23 0000 ------- 
Quoting upstream:
I don't remember exact things that were fixed according that Test Suite. Maybe
I've fixed some things, maybe not.

------- Comment #5 From Pierre-Yves Rofes 2008-04-08 21:33:10 0000 ------- 
(In reply to comment #4)
> Quoting upstream:
> I don't remember exact things that were fixed according that Test Suite. Maybe
> I've fixed some things, maybe not.
> 

great :/
I'd be in favor of just closing this without GLSA... so voting NO.

------- Comment #6 From Raphael Marichez 2008-04-09 17:16:41 0000 ------- 
(In reply to comment #5)
> (In reply to comment #4)
> > Quoting upstream:
> > I don't remember exact things that were fixed according that Test Suite. Maybe
> > I've fixed some things, maybe not.
> > 
> 
> great :/
> I'd be in favor of just closing this without GLSA... so voting NO.


OK, let's say "fixed".
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug