From ${URL} : Security researchers at NCC Group have discovered that CVE-2009-0689, a definite DOS (and possible arbitrary code execution) in various applications' string-to-double parser implementations, also applies to Mono versions prior to 4.2. A fix is available at https://gist.github.com/directhex/01e853567fd2cc74ed39 and should apply cleanly to all versions of Mono you might care about. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
There are a number of non vulnerable (but non-stable) versions in the tree. Please advise what you would like to do on this B2 vulnerability.
Any updates on this?
ping
I don't think we need so many unstable versions. Does anybody really need anything between 4.0 and 4.3.x, considering these were never stabilized? Just for clarity, strtod.c was deleted and its functionality replaced by code imported from the reference source over a year ago. $ git log --stat --notes --follow -M -- mono/utils/strtod.c commit 1886cdc73fe5aa01cfe8bd305b21e9ea0ceb5c91 Author: Ludovic Henry <ludovic.henry@xamarin.com> Date: Wed May 13 17:20:58 2015 +0100 [referencesource] Import System.Double and System.Simple mono/utils/strtod.c | 3360 --------------------------------------------------- 1 file changed, 3360 deletions(-)
(In reply to Dan Douglas from comment #4) > I don't think we need so many unstable versions. Does anybody really need > anything between 4.0 and 4.3.x, considering these were never stabilized? > > Just for clarity, strtod.c was deleted and its functionality replaced by > code imported from the reference source over a year ago. As per Dan above. Maintainers what version do you want to go Stable?
@arches, please stabilize: =dev-lang/mono-4.4.0.148 @maintainer(s), 4.4.0.148 is not vulnerable, but choosing the latest version to stabilize here.
Sorry... @arches, please stabilize: =dev-lang/mono-4.4.1.0 @maintainer(s), 4.4.0.148 is not vulnerable, but choosing the latest version to stabilize here.
amd64 stable
x86 stable
arches - please complete PPC
This has broken lots of reverse dependencies due to bug 580316 , if you drop older mono version before fixing them, people will simply get things completely broken without ability to downgrade as workaround :/
Pacho, we will just set the cleanup to depend on bug 580316, but we still need to have a known non-vulnerable version in the tree for those that do not have decencies issues and PPC is still not stable.
ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
Sorry my mistake B2 = GLSA. New GLSA Request filed.
Maintainer(s), please drop the vulnerable version(s).
This bug isn't ready yet. v2.10.x is still vulnerable. @ Maintainer(s): Please rev bump and add https://gist.github.com/directhex/01e853567fd2cc74ed39
@Maintainers ping, mono-4.4.1.0 is stable, can you clean 2.10.9-r2? Thanks
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d020793ed31be890423115b5a25529dea0b545ef commit d020793ed31be890423115b5a25529dea0b545ef Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-03 18:50:33 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-03 19:19:46 +0000 dev-lang/mono: drop vulnerable. use HTTPS. Bug: https://bugs.gentoo.org/568988 Package-Manager: Portage-2.3.28, Repoman-2.3.9 Closes: https://github.com/gentoo/gentoo/pull/7792 dev-lang/mono/Manifest | 1 - dev-lang/mono/mono-2.10.9-r2.ebuild | 265 ----------------------------------- dev-lang/mono/mono-4.4.1.0.ebuild | 4 +- dev-lang/mono/mono-4.6.1.5-r1.ebuild | 6 +- dev-lang/mono/mono-4.6.1.5.ebuild | 6 +- dev-lang/mono/mono-4.8.0.425.ebuild | 6 +- dev-lang/mono/mono-4.8.0.495.ebuild | 6 +- dev-lang/mono/mono-4.8.0.524.ebuild | 6 +- dev-lang/mono/mono-5.4.1.6.ebuild | 6 +- 9 files changed, 20 insertions(+), 286 deletions(-)}
Tree is clean. No PoC for ACE/RCE. Downgraded. GLSA Vote: No