Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
View Bug Activity | Format For Printing | XML | Clone This Bug
app-sci/gimps-23.9 installs /opt/gimps/mprime with ownership nobody:nogroup. In the default configuration, the initscript executes it as root user. If /opt is mounted via NFS, it might be possible to overwrite mprime by an arbitrary binary. The same applies to the stable -23.5 version. (Probably, it should be the other way around: the binary should be owned by root and run as a special user.)
Hi Michal, Please commit a fixed version.
sci please fix setiathome,chessbrain and any other applications with similar issues.
Gimps is now fixed.
sci please fix this ASAP.
Fixed for "app-sci/chessbrain". "app-sci/foldingathome" is also affected.
Thanks Olivier. sci please fix foldingathome also.
Fixed "app-sci/setiathome-3.08" (the version for x86 and amd64). Could someone with access to either ppc, sparc, hppa or ia64 please do the same for version 3.03? This seems to be the last affected package. "app-sci/foldingathome" is not affected. (That was my mistake.)
Olivier just update the ebuilds and mark stable on the arches you have access to. Security will handle stable marking for other arches.
Fixed "app-sci/setiathome-3.03". All four supported arches are marked unstable.
Arches please mark setiathome stable. Fixed versions are 3.03-r2 and 3.08-r4. Combined target keywords for setiathome: x86 amd64 ppc sparc -alpha hppa ia64
sparc has following problems with setiathome-3.03-r2: 1) If you happen to have USE='X', installation fails because there is no xsetiathome; 2) If you do not have USE='X', the program installed at /opt/setiathome/setiathome is not made executable: You need to do 'chmod +x /opt/setiathome/setihome' by hand. (Previous 3.03-r1 ebuild takes care of this, but I do not know if the deletion was intentional or not. In any event, as it stands, what is installed for -r2 cannot be used but -r1 can be.) ======================== setiathome-3.08 is a nonstarter for sparc, since it does not actually exist. Regards, Ferris
Back to ebuild status. Olivier please fix.
Should be fixed in CVS, but I cannot test it.
setiathome-3.03-r2 now installs and runs for sparc; sparc done.
Back to stable marking. Thx Olivier.
setiathome stable on ppc
Thx Ferris. Please remember to remove arch from CC when you mark stable.
Sorry. It wasn't completely clear to me that setiathome was the only thing that needed looking at. (Although I guess Comment 7 gives a pretty good indication.)
GLSA drafted Security please review.
GLSA 200411-26 sci please remember to remove old vulnerable ebuilds that are no longer needed.
Removed insecure versions for "app-sci/{gimp,chessbrain}". Must hppa and ia64 mark "app-sci/setiathome-3.03-r2" stable before I remove r1, or should I remove it immediately?
Yes, you should remove r1 only when hppa and ia64 mark "app-sci/setiathome-3.03-r2" stable.
Removed hppa keyword because the tarball is not available
