Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 383991 - <media-plugins/audacious-plugins-3.1 Multiple vulnerabilities (CVE-2011-{2911,2912,2913,2914,2915})
Summary: <media-plugins/audacious-plugins-3.1 Multiple vulnerabilities (CVE-2011-{2911...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://jira.atheme.org/browse/AUDPLUG...
Whiteboard: B2 [glsa]
Keywords:
: 390319 (view as bug list)
Depends on: 395213
Blocks:
  Show dependency tree
 
Reported: 2011-09-21 17:32 UTC by Agostino Sarubbo
Modified: 2012-03-16 11:27 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-09-21 17:32:26 UTC
From original advisory, only 3.x version is affected, so there is nothing to stabilize.

Please bump updated version and remove the affected. Thanks
Comment 1 Tony Vroon (RETIRED) gentoo-dev 2011-09-22 14:59:28 UTC
+*audacious-3.0.3 (22 Sep 2011)
+
+  22 Sep 2011; Tony Vroon <chainsaw@gentoo.org> -audacious-3.0.2.ebuild,
+  +audacious-3.0.3.ebuild:
+  Version bump. Ebuild improvements by Agostino "ago" Sarubbo close bugs
+  #380577, #383357 & #383649. Remove vulnerable version for security bug
+  #383991.

+*audacious-plugins-3.0.3 (22 Sep 2011)
+
+  22 Sep 2011; Tony Vroon <chainsaw@gentoo.org>
+  -audacious-plugins-3.0.2.ebuild, +audacious-plugins-3.0.3.ebuild,
+  metadata.xml:
+  Version bump. Ebuild improvements by Agostino "ago" Sarubbo close bugs
+  #380577, #383357 & #383649. Remove vulnerable version for security bug
+  #383991.

Security, please proceed to GLSA voting.
Comment 2 Agostino Sarubbo gentoo-dev 2011-09-22 15:04:34 UTC
(In reply to comment #1)
> Security, please proceed to GLSA voting.

~3 is noglsa, resolved as fixed. Thanks.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-11-13 15:34:15 UTC
*** Bug 390319 has been marked as a duplicate of this bug. ***
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-11-13 15:37:47 UTC
(In reply to comment #0)
> From original advisory, only 3.x version is affected, so there is nothing to
> stabilize.
> 

Agostino, are you sure only 3.x is affected? 

Oftentimes what is listed as "Affected" in bugs is simply the version it was first found in... And what is "Affected" in advisories is what is "Supported" by upstream.
Comment 5 Agostino Sarubbo gentoo-dev 2011-11-14 10:59:02 UTC
(In reply to comment #4)
> Agostino, are you sure only 3.x is affected? 

Sorry for this, after mail upstream I understood that is mentioned only 3.0.1 because 2.x is no longer supported but is always vulnerable.
Maintainer approves stabilization so I'll add arches.
Comment 6 Agostino Sarubbo gentoo-dev 2011-11-14 11:45:37 UTC
Arches, please test and mark stable:
=media-sound/audacious-3.0.3-r1
=media-plugins/audacious-plugins-3.0.3
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 7 Agostino Sarubbo gentoo-dev 2011-11-14 12:20:47 UTC
amd64 ok
Comment 8 Michael Harrison 2011-11-14 12:31:34 UTC
Depends on:
Required use [...]:

x11-libs/gtk+-3.0.12-r1 [test] 
media-libs/libcanberra-0.28-r5 [gtk3] 
x11-misc/notification-daemon-0.5.0 [gnome]
virtual/notification-daemon-0 [gnome]
x11-libs/libnotify-0.7.4 [libnotify] 
x11-base/xorg-server-1.10.4-r1 [xvfb]

media-plugins/audacious-plugins-3.0.3 [libnotify] 
media-sound/audacious-3.0.3-r1 [xvfb]

~amd64 ok
Comment 9 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-11-15 03:35:49 UTC
amd64: pass
Comment 10 Tony Vroon (RETIRED) gentoo-dev 2011-11-15 08:53:47 UTC
+  15 Nov 2011; Tony Vroon <chainsaw@gentoo.org> audacious-3.1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in security bug #383991.

+  15 Nov 2011; Tony Vroon <chainsaw@gentoo.org> audacious-plugins-3.1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in security bug #383991.
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2011-11-15 15:06:09 UTC
(In reply to comment #10)
> +  15 Nov 2011; Tony Vroon <chainsaw@gentoo.org> audacious-3.1.ebuild:
> +  15 Nov 2011; Tony Vroon <chainsaw@gentoo.org> audacious-plugins-3.1.ebuild:

So we're going for 3.1 now?
Comment 12 Agostino Sarubbo gentoo-dev 2011-11-15 15:07:45 UTC
no, already 3.0.3 is unaffected
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2011-11-15 16:55:47 UTC
(In reply to comment #12)
> no, already 3.0.3 is unaffected

Then why were both 3.1s marked stable for amd64?
Comment 14 Tony Vroon (RETIRED) gentoo-dev 2011-11-15 17:48:42 UTC
(In reply to comment #13)
> Then why were both 3.1s marked stable for amd64?

Because of a significant amount of bug & stability fixes that have gone in since the 3.0 branch was closed. I do not believe that the modplug vulnerabilities in question were ever relevant to our in-tree copy, which had additional fixes applied and diverted from what upstream had put out.
However, if I am forced into an update, it might as well be one that benefits users. You are free to mark 3.0.3 instead if you disagree.
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2011-11-15 18:08:39 UTC
So we should do this.

Arch teams, please test and mark stable:
=media-sound/audacious-3.1
=media-plugins/audacious-plugins-3.1
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2011-11-15 18:28:03 UTC
Stable for HPPA.
Comment 17 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-12-07 13:48:23 UTC
x86 stable
Comment 18 Mark Loeser (RETIRED) gentoo-dev 2011-12-18 22:40:24 UTC
Fails to build on ppc/ppc64; bug #383991
Comment 19 Tobias Klausmann (RETIRED) gentoo-dev 2012-01-16 08:58:20 UTC
(In reply to comment #18)
> Fails to build on ppc/ppc64; bug #383991

ITYM bug 395213 

Also happens on Alpha, btw.
Comment 20 Tobias Klausmann (RETIRED) gentoo-dev 2012-01-17 13:22:52 UTC
Added code to fix the linker flag bug, stable on alpha.
Comment 21 Raúl Porcel (RETIRED) gentoo-dev 2012-02-19 15:33:11 UTC
sparc stable
Comment 22 Brent Baude (RETIRED) gentoo-dev 2012-03-10 17:00:53 UTC
ppc done
Comment 23 Brent Baude (RETIRED) gentoo-dev 2012-03-11 13:50:32 UTC
ppc64 done
Comment 24 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-11 14:44:06 UTC
Thanks, everyone. Created new GLSA request.
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2012-03-16 11:27:51 UTC
This issue was resolved and addressed in
 GLSA 201203-14 at http://security.gentoo.org/glsa/glsa-201203-14.xml
by GLSA coordinator Sean Amoss (ackle).