159886 2007-01-03 11:47 0000 dev-lang/mono <1.2.2.1: information disclosure with %20 (CVE-2006-6104) 2007-01-17 21:48:34 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B4? [glsa] P2 minor --- 160164 157288 1 compnerd@gentoo.org security@gentoo.org dotnet@gentoo.org compnerd@gentoo.org 2007-01-03 11:47:37 0000 This addresses a security issue (CVE-2006-6104) and is a *MUCH* improved version. vorlon@gentoo.org 2007-01-06 13:43:48 0000 i am hijacking this bug for security, since this fixes a security issue compnerd, pls assign security issues to the security team... we will handle stable marking no need to restrict this bug either, since the issue is public and arch teams cannot access it this way armin76@gentoo.org 2007-01-06 17:14:34 0000 In x86: Emerges and seems to work. However: Running eautoreconf in '/var/tmp/portage/mono-1.2.2.1/work/mono-1.2.2.1/libgc' ... QA Notice: ${WANT_AUTOCONF} variable unset. Please report on http://bugs.gentoo.org/ QA Notice: ${WANT_AUTOMAKE} variable unset. Please report on http://bugs.gentoo.org/ Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-gentoo-r6 i686) ================================================================= System uname: 2.6.18-gentoo-r6 i686 AMD Athlon(tm) Processor Gentoo Base System version 1.12.6 Last Sync: Sat, 06 Jan 2007 09:50:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-tbird -mtune=athlon-tbird -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=athlon-tbird -mtune=athlon-tbird -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ " LC_ALL="en_US.ISO-8859-15" MAKEOPTS="-j2" PKGDIR="/tmp/lea/var/tmp/binpkgs" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --dele te --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/sunrise" SYNC="rsync://rsync.belnet.be/packages/gentoo-portage" USE="x86 X alsa_cards_pcsp alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plug ins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_ pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_i oplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_p cm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate a lsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol bitmap-fonts bzi p2 cairo cdr cli cracklib crypt dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode fam firefox fortra n gif gpm gstreamer gtk hal iconv input_devices_evdev input_devices_keyboard input_devices_mouse isdnlog jp eg kernel_linux ldap libg++ mad mikmod mp3 mpeg ncurses nptl nptlonly ogg opengl pam pcre perl png ppds ppp d python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd truetype truetype-fonts type1 -fonts udev unicode userland_GNU video_cards_vesa vorbis win32codecs xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS fauli@gentoo.org 2007-01-06 18:58:26 0000 x86 does the monkey dertobi123@gentoo.org 2007-01-08 19:54:16 0000 ppc stable mcummings@gentoo.org 2007-01-09 00:32:21 0000 I could not get this package to pass the test phase - is it supposed to? Looking at the portage log I see a lot of reference to /root/.config - eh? It builds and installs, but does not pass testing. Do you have any example apps I can run against it to confirm it's working? jaervosz@gentoo.org 2007-01-09 08:32:01 0000 dotnet, please advise. compnerd@gentoo.org 2007-01-11 06:13:52 0000 You could try many of the various dot-net apps in portage (tomboy, muine, blam), as anything we give you would most likely be of little value. tester@gentoo.org 2007-01-14 03:00:57 0000 stable on amd64.... the tests fail.... if its ok.. please use RESTRICT=test.... otherwise fix it ;) tester@gentoo.org 2007-01-14 03:11:54 0000 oops falco@gentoo.org 2007-01-14 17:37:16 0000 Thanks everybody, everything is ok now AFAIK, now it's time to vote for a GLSA or not. I vote for a GLSA because the exploit is trivial and can have severe consequences (disclosure of passwords, etc) jaervosz@gentoo.org 2007-01-14 18:42:19 0000 I vote YES. aetius@gentoo.org 2007-01-14 18:48:44 0000 padawan /vote YES falco@gentoo.org 2007-01-17 21:48:34 0000 GLSA 200701-12