120224 2006-01-24 14:50 0000 dev-lisp/clisp-2.38 fixes security issue 2006-02-11 11:37:50 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED ? [noglsa] DerCorny P2 normal --- 1 carlo@gentoo.org security@gentoo.org common-lisp@gentoo.org lisp@gentoo.org wolf31o2@gentoo.org carlo@gentoo.org 2006-01-24 14:50:42 0000 The following freshmeat information: A security issue in the SYSLOG interface (POSIX module) and an OPEN/:APPEND regression have been fixed. SAVEINITMEM can create standalone executables. and the ChangeLog: * POSIX:SYSLOG no longer recognizes "%m" and other formatting instructions. For your safety and security, please do all formatting in Lisp. are unfortunately both not specific about the vulnerability. dercorny@gentoo.org 2006-01-24 14:59:12 0000 please provide fixed ebuilds, thx mkennedy@gentoo.org 2006-01-25 13:51:17 0000 I just committed a new ebuild for clisp-2.38. Will we be issuing a GLSA? I think the security issue at hand is an unsafe function in CLISP POSIX package, so my feeling is it is not necessary... dercorny@gentoo.org 2006-01-25 14:01:58 0000 ppc and x86, please mark stable. Regarding a GLSA, I'm not sure yet - I guess there will be a vote to decide that after arches marked stable. halcy0n@gentoo.org 2006-01-27 17:17:17 0000 x86 done dertobi123@gentoo.org 2006-01-28 02:41:47 0000 ppc stable dercorny@gentoo.org 2006-01-28 06:29:18 0000 lets have a glsa vote. perl had something similar and we issued a glsa back then. Though i'd say no, C also has unsafe formatted printing functions and nobody would "fix" them... jaervosz@gentoo.org 2006-02-06 12:26:46 0000 I tend to vote YES. koon@gentoo.org 2006-02-07 10:19:18 0000 I tend to vote no... koon@gentoo.org 2006-02-11 11:37:50 0000 This is not really a security issue. It's a security improvement, that removes some POSIX compatibility functions that would be unsafe if improperly used. Correcting to full NO and closing, feel free to reopen if you disagree.