Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 217603
Alias:
Product:
Component:
Status: RESOLVED
Resolution: WONTFIX
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Matthias Geerdsen <vorlon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 217603 depends on: 217715 Show dependency tree
Bug 217603 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-04-14 09:15 0000 
This bug is not public yet, please do not disclose any information.

vorbis-tools appears to include vulnerable speex code

see http://www.ocert.org/advisories/ocert-2008-2.html
as well as bug 216499 and bug 217373 for similar issues

------- Comment #1 From Samuli Suominen 2008-04-14 13:55:08 0000 ------- 
(In reply to comment #0)
> This bug is not public yet, please do not disclose any information.
> 
> vorbis-tools appears to include vulnerable speex code
> 
> see http://www.ocert.org/advisories/ocert-2008-2.html
> as well as bug 216499 and bug 217373 for similar issues
> 

+*vorbis-tools-1.2.0-r1 (14 Apr 2008)
+
+  14 Apr 2008; Samuli Suominen <drac@gentoo.org>
+  +files/vorbis-tools-1.2.0-sec.patch, +vorbis-tools-1.2.0-r1.ebuild:
+  Fix for security #217603.

Should be fine, but kindly review vorbis-tools-1.2.0-sec.patch to verify.

------- Comment #2 From Samuli Suominen 2008-04-14 14:05:01 0000 ------- 
(In reply to comment #0)
> This bug is not public yet, please do not disclose any information.

I've talked it with aballier, and reported at upstream trac (since it has been
a pain to get hold of xiph guys by other means)

------- Comment #3 From Matthias Geerdsen 2008-04-14 14:23:54 0000 ------- 
Maybe I should have included a bit more information, but this was not meant to
be made public yet (see first sentence in description and CONFIDENTIAL in
status whiteboard), even though this was more of a semi-public but a
confidential bug.
BTW Maintainers have been contacted by oCERT a few days ago afaik.

http://www.gentoo.org/security/en/coordinator_guide.xml#doc_chap4 has the
details on handling confidential vulnerabilites.

------- Comment #4 From Robert Buchholz 2008-04-14 16:59:20 0000 ------- 
Arch Security Liaisons, please test and mark stable:
=media-sound/vorbis-tools-1.2.0-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer

------- Comment #5 From Jeroen Roovers 2008-04-14 17:58:44 0000 ------- 
Stable for HPPA.

------- Comment #6 From Markus Rothe 2008-04-14 18:00:33 0000 ------- 
ppc64 stable

------- Comment #7 From Raúl Porcel 2008-04-14 18:03:06 0000 ------- 
Adding Tobias for alpha

------- Comment #8 From Ferris McCormick 2008-04-14 18:32:50 0000 ------- 
Sparc stable.

------- Comment #9 From Samuli Suominen 2008-04-14 19:35:30 0000 ------- 
amd64 stable

------- Comment #10 From Markus Meier 2008-04-14 20:47:36 0000 ------- 
x86 stable

------- Comment #11 From Tobias Klausmann 2008-04-15 20:00:42 0000 ------- 
Stable for alpha.

------- Comment #12 From Tobias Scherbaum 2008-04-16 19:37:58 0000 ------- 
ppc stable

------- Comment #13 From Matthias Geerdsen 2008-04-17 09:42:33 0000 ------- 
now public via http://www.ocert.org/advisories/ocert-2008-004.html

------- Comment #14 From Matthias Geerdsen 2008-04-17 10:09:43 0000 ------- 
This will fixed with the speex update in bug 217715, keeping open until the
GLSA has been released.

removing arch liaisons, adding herd, ...

------- Comment #15 From Robert Buchholz 2008-04-17 12:17:11 0000 ------- 
speex has been sent as GLSA 200804-17, this also fixes this bug.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug