FROM $URL: [258723] Medium CVE-2013-6629: Read of uninitialized memory in libjpeg and libjpeg-turbo. Credit to Michal Zalewski of Google. [299835] Medium CVE-2013-6630: Read of uninitialized memory in libjpeg-turbo. Credit to Michal Zalewski of Google.
The commit from the chromium repo, not applied to upstream: http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/libjpeg_turbo/jdmarker.c?r1=228381&r2=228380&pathrev=228381
libjpeg-turbo-1.3.0-r3 has the upstream fix for this, http://sourceforge.net/p/libjpeg-turbo/code/1090/ however there's some work to be done before 1.3.0-r3 is ready for stable, and I've been lately much away, I'll have to check the current status before saying anything about stabilization, please hold on
These should be OK to stabilize: =virtual/jpeg-0-r2 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 =virtual/jpeg-62 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 =media-libs/libjpeg-turbo-1.3.0-r3 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 (has a patch for CVE-2013-6629 and 6630) =media-libs/jpeg-8d-r1 alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 (has a patch for CVE-2013-6629 only, see bug 491152) =media-libs/jpeg-6b-r12 amd64 x86 (has a patch for CVE-2013-6629 only, see bug 491152) Sorry if I listed some now only ~arch ones.
x86 stable
amd64 stable
Stable for HPPA.
This needs a bump of app-office/libreoffice-bin. Will add it here and re-add amd64/x86 once the files are read.
ia64 stable
@ amd64, x86: Please test and fast-stabilize (needed since the soversion of the jpeg library changed): app-office/libreoffice-bin-4.1.4.2 app-office/libreoffice-bin-debug-4.1.4.2 app-office/libreoffice-l10n-4.1.4.2
I see this: # required by =app-office/libreoffice-bin-debug-4.1.4.2 (argument) # /usr/portage/profiles/package.mask: # Andreas K. Huettel <dilfridge@gentoo.org> (19 Nov 2013) # Something is wrong with the distfiles, maybe caused by mirrormaster # overload. Please deinstall app-office/libreoffice-bin-debug for now; # I'm considering abandoning the debug info because of its file size. =app-office/libreoffice-bin-debug-4.1.4.2 is that normal? :/
(In reply to Pacho Ramos from comment #10) > I see this: > # required by =app-office/libreoffice-bin-debug-4.1.4.2 (argument) > # /usr/portage/profiles/package.mask: > # Andreas K. Huettel <dilfridge@gentoo.org> (19 Nov 2013) > # Something is wrong with the distfiles, maybe caused by mirrormaster > # overload. Please deinstall app-office/libreoffice-bin-debug for now; > # I'm considering abandoning the debug info because of its file size. > =app-office/libreoffice-bin-debug-4.1.4.2 > > is that normal? :/ Ouch. Sorry I thought that mask was long gone. I removed it from package.mask just now. (/me wonders why noone noticed so far...)
I get: !!! Fetched file: amd64-debug-libreoffice-4.1.3.2-r3.tar.xz VERIFY FAILED! !!! Reason: Failed on WHIRLPOOL verification !!! Got: 8bc4e005c76ef33507b54802d46e96248ad137328c52c0411b65bf1f2895c7ff3c23cf71b16bff6483988734d6958b31fec018eff8e91685630c312020691502 !!! Expected: 57d5e3233c53517b862f987851ee503b61414774426566f9d945dd42792520a062855d0319bc10dfe2a24fd5583c455142c1be4fff7c8369969b0f2578d7a62d Refetching... File renamed to '/usr/distfiles/amd64-debug-libreoffice-4.1.3.2-r3.tar.xz._checksum_failure_.jK3yCV' forever while running repoman full :(
(In reply to Pacho Ramos from comment #12) > I get: > !!! Fetched file: amd64-debug-libreoffice-4.1.3.2-r3.tar.xz VERIFY FAILED! > !!! Reason: Failed on WHIRLPOOL verification > !!! Got: > 8bc4e005c76ef33507b54802d46e96248ad137328c52c0411b65bf1f2895c7ff3c23cf71b16bf > f6483988734d6958b31fec018eff8e91685630c312020691502 > !!! Expected: > 57d5e3233c53517b862f987851ee503b61414774426566f9d945dd42792520a062855d0319bc1 > 0dfe2a24fd5583c455142c1be4fff7c8369969b0f2578d7a62d > Refetching... File renamed to > '/usr/distfiles/amd64-debug-libreoffice-4.1.3.2-r3.tar.xz._checksum_failure_. > jK3yCV' > > forever while running repoman full :( Once solved, feel free to stabilize on amd64 (the apps look to work ok)
(In reply to Pacho Ramos from comment #13) > (In reply to Pacho Ramos from comment #12) > > I get: > > !!! Fetched file: amd64-debug-libreoffice-4.1.3.2-r3.tar.xz VERIFY FAILED! > > !!! Reason: Failed on WHIRLPOOL verification > > !!! Got: > > > > forever while running repoman full :( > > Once solved, feel free to stabilize on amd64 (the apps look to work ok) Sorry for the mess, the bad hashes from the last bump must have survived in my mini lo-bin overlay. Fixed and marked amd64 stable.
Portage now complains for people using app-office/libreoffice (not -bin). It wants to update app-office/libreoffice-l10n-4.1.4.2, but cannot because current stable is app-office/libreoffice-4.1.3.2-r2. I guess you should consider stabilizing app-office/libreoffice-4.1.4.2 as well.
(In reply to Jérôme Borme from comment #15) > Portage now complains for people using app-office/libreoffice (not -bin). It > wants to update app-office/libreoffice-l10n-4.1.4.2, but cannot because > current stable is app-office/libreoffice-4.1.3.2-r2. I guess you should > consider stabilizing app-office/libreoffice-4.1.4.2 as well. Not a bug. (Yes I would not complain about stabilizing app-office/libreoffice-4.1.4.2 as well, but it's (a) not required here, and (b) puts undue stress on the arch teams.)
OK fine. (So in order to improve the correctness of my future bug reports, could you explain/point me at some resource that tell me why it's not a bug? What I saw, is that a stable system suddenly started giving conflicting dependencies, forcing me to either 1) update to unstable app-office/libreoffice or 2) manually mask the stable app-office/libreoffice-l10n. Both options defeat the purpose of having a the stable tree where packages which depend from each other play nice together. I always thought this would be a bug worth of reporting.)
arm stable
*** Bug 500618 has been marked as a duplicate of this bug. ***
(In reply to Andreas K. Hüttel from comment #16) > (In reply to Jérôme Borme from comment #15) > > Portage now complains for people using app-office/libreoffice (not -bin). It > > wants to update app-office/libreoffice-l10n-4.1.4.2, but cannot because > > current stable is app-office/libreoffice-4.1.3.2-r2. I guess you should > > consider stabilizing app-office/libreoffice-4.1.4.2 as well. > > Not a bug. Yes it is. It's what we call "breaking the tree".
(In reply to Jeroen Roovers from comment #20) > (In reply to Andreas K. Hüttel from comment #16) > > (In reply to Jérôme Borme from comment #15) > > > Portage now complains for people using app-office/libreoffice (not -bin). It > > > wants to update app-office/libreoffice-l10n-4.1.4.2, but cannot because > > > current stable is app-office/libreoffice-4.1.3.2-r2. I guess you should > > > consider stabilizing app-office/libreoffice-4.1.4.2 as well. > > > > Not a bug. > > Yes it is. It's what we call "breaking the tree". Not so sure about that, I consider that message informative and not a warning or error. Anyway, stabilization has been requested in bug 500622.
alpha stable
ppc64 stable
ppc stable
(In reply to Andreas K. Hüttel from comment #9) > @ amd64, x86: > > Please test and fast-stabilize (needed since the soversion of the jpeg > library changed): > > app-office/libreoffice-bin-4.1.4.2 > app-office/libreoffice-bin-debug-4.1.4.2 > app-office/libreoffice-l10n-4.1.4.2 Please open another bug for that, this is not the right place.
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
(In reply to Agostino Sarubbo from comment #25) > (In reply to Andreas K. Hüttel from comment #9) > > @ amd64, x86: > > > > Please test and fast-stabilize (needed since the soversion of the jpeg > > library changed): > > > > app-office/libreoffice-bin-4.1.4.2 > > app-office/libreoffice-bin-debug-4.1.4.2 > > app-office/libreoffice-l10n-4.1.4.2 > > Please open another bug for that, this is not the right place. x86 can't cleanup since current stable libreoffice-bin hard-depends on the vulnerable version. So this *is* the right place.
(In reply to Andreas K. Hüttel from comment #27) > x86 can't cleanup since current stable libreoffice-bin hard-depends on the > vulnerable version. So this *is* the right place. In the future please open another bug and make the block.
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201606-03 at https://security.gentoo.org/glsa/201606-03 by GLSA coordinator Yury German (BlueKnight)