The ebuild installs the packaged openssl libraries into /opt/dropbox. These may be outdated and have unpatched security issues. Just remove them and the linker will use the openssl libs from the system. The packaged version is currently 0.9.8e which has numerous CVEs filed against, while portage has 0.9.8t. Reproducible: Always
Created attachment 299933 [details] dropbox-1.2.48-r2.ebuild added RDEPEND on openssl:0.9.8 and rm the packaged libs. Tested on x86_64.
Created attachment 299935 [details, diff] the same changes in form of a patch
Hey guys, please consider bumping to the latest stable, currently 1.2.51 according to https://www.dropbox.com/release_notes Kind regards!
Created attachment 300041 [details] dropbox-1.2.51.ebuild version bump is only a matter of renaming the ebuild :-)
Created attachment 300413 [details] dropbox-1.2.51.ebuild also remove bundeled zlib and bz2
+*dropbox-1.2.51 (15 Feb 2012) + + 15 Feb 2012; Justin Lecher <jlec@gentoo.org> dropbox-1.2.13.ebuild, + dropbox-1.2.13-r1.ebuild, dropbox-1.2.13-r2.ebuild, dropbox-1.2.24.ebuild, + dropbox-1.2.24-r1.ebuild, dropbox-1.2.48.ebuild, +dropbox-1.2.51.ebuild, + metadata.xml: + Version Bump, #402501, drop a copuple of bundled libs, #400877, drop + mprotect() PaX flag, #401467, drop . from DESCRIPTION +
