170861 2007-03-14 12:38 0000 app-text/tetex < 3.0_p1-r4 Multiple buffer overflows (CVE-2007-0650) 2008-01-10 08:53:59 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED https://issues.rpath.com/browse/RPL-1036 B2 [glsa] Falco P2 normal --- 182055 188172 1 jaervosz@gentoo.org security@gentoo.org fauli@gentoo.org hkmaly@bigfoot.com p_ansell@yahoo.com rbu@gentoo.org tex@gentoo.org jaervosz@gentoo.org 2007-03-14 12:38:30 0000 Buffer overflow in the open_sty function in mkind.c for makeindex 2.14 in teTeX might allow user-assisted remote attackers to overwrite files and possibly execute arbitrary code via a long filename. NOTE: other overflows exist but might not be exploitable, such as a heap-based overflow in the check_idx function. falco@gentoo.org 2007-03-14 12:56:56 0000 CCign herd falco@gentoo.org 2007-03-14 13:26:43 0000 not all issues are patched according to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=225491 jaervosz@gentoo.org 2007-05-08 10:28:37 0000 Fixes for rPath are out. py@gentoo.org 2007-05-31 09:40:04 0000 any news here? py@gentoo.org 2007-07-19 08:05:09 0000 text-markup, any news here? rbu@gentoo.org 2007-09-01 13:29:15 0000 py, this is maintained by the tex herd in the meantime. rbu@gentoo.org 2007-09-01 17:16:40 0000 Fixed in app-text/tetex-3.0_p1-r4. py@gentoo.org 2007-09-01 22:04:17 0000 Thanks rbu. Arches, please test and mark stable app-text/tetex-3.0_p1-r4. Target keywords are: "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86 ~x86-fbsd" rbu@gentoo.org 2007-09-01 23:53:23 0000 py: shouldn't this bug also block bug 188172? fauli@gentoo.org 2007-09-02 07:52:46 0000 x86 stable and I added a other_bugs as suggested by rbu. armin76@gentoo.org 2007-09-02 14:37:27 0000 alpha/ia64 stable corsair@gentoo.org 2007-09-02 15:04:17 0000 ppc64 stable jer@gentoo.org 2007-09-02 17:29:27 0000 Stable for HPPA. yoswink@gentoo.org 2007-09-02 18:58:32 0000 During the merging I saw the message: "/usr/portage/eclass/tetex-3.eclass: line 36: tetex_pkg_setup: command not found" tetex-3.eclass run the function tetex_pkg_setup which is inherited from tetex.eclass. Problem is that QA remove the whole function as you can see in bug #156213. Please remove it from tetex-3.eclass (if is no longer needed). rbu@gentoo.org 2007-09-02 19:22:22 0000 (In reply to comment #14) > During the merging I saw the message: > "/usr/portage/eclass/tetex-3.eclass: line 36: tetex_pkg_setup: command not > found" > > tetex-3.eclass run the function tetex_pkg_setup which is inherited from > tetex.eclass. Problem is that QA remove the whole function as you can see in > bug #156213. > > Please remove it from tetex-3.eclass (if is no longer needed). This has been reported as bug #191046, too. dertobi123@gentoo.org 2007-09-03 17:43:22 0000 ppc stable yoswink@gentoo.org 2007-09-04 09:04:44 0000 (In reply to comment #15) > (In reply to comment #14) > > During the merging I saw the message: > > "/usr/portage/eclass/tetex-3.eclass: line 36: tetex_pkg_setup: command not > > found" > > > > tetex-3.eclass run the function tetex_pkg_setup which is inherited from > > tetex.eclass. Problem is that QA remove the whole function as you can see in > > bug #156213. > > > > Please remove it from tetex-3.eclass (if is no longer needed). > > This has been reported as bug #191046, too. > Any chance to get it solved before marking tetex as stable? zlin@gentoo.org 2007-09-04 11:52:05 0000 Wrt. bug #189716 (upstream changed the tarball with no bump) thus far two arch maintainers on this bug has stabled the wrong tarball. For the remaining arch teams do make sure to fetch the right tarball before stabilizing.. ;) rbu@gentoo.org 2007-09-04 12:09:07 0000 (In reply to comment #18) > For the remaining arch > teams do make sure to fetch the right tarball before stabilizing.. ;) To be more specific. Please make sure your Manifest contains: DIST tetex-texmf-3.0.tar.gz 91402377 RMD160 a1e87733fa3cbef04e39a690ed8549aeaaddb241 SHA1 1be97f57a26a6e9b72ebfd932e45914a959aff16 SHA256 6c3b8fa619749cbb28ca0f8847e56773d13e0bb92f1ea34287420950373640c2 (In reply to comment #17) > > bug #191046. > Any chance to get it solved before marking tetex as stable? Peper just fixed it. yoswink@gentoo.org 2007-09-05 10:01:20 0000 (In reply to comment #19) > (In reply to comment #18) > > For the remaining arch > > teams do make sure to fetch the right tarball before stabilizing.. ;) > > To be more specific. Please make sure your Manifest contains: > DIST tetex-texmf-3.0.tar.gz 91402377 RMD160 > a1e87733fa3cbef04e39a690ed8549aeaaddb241 SHA1 > 1be97f57a26a6e9b72ebfd932e45914a959aff16 SHA256 > 6c3b8fa619749cbb28ca0f8847e56773d13e0bb92f1ea34287420950373640c2 Tested the new tarball, works fine. > > (In reply to comment #17) > > > bug #191046. > > Any chance to get it solved before marking tetex as stable? > > Peper just fixed it. > Thanks, sparc stable. beandog@gentoo.org 2007-09-08 01:11:50 0000 amd64 stable p_ansell@yahoo.com 2007-09-08 08:50:44 0000 Please make sure the manifest is correct when stabilising this bug :) It caused me about 600MB of download that I know of so far re-downloading the file so it does have an impact on users. See bug #189716 fauli@gentoo.org 2007-09-08 22:12:28 0000 All security supported arches done, glsa should be emitted combining this bug with bug 182055 and bug 188172. rbu@gentoo.org 2007-09-08 23:10:09 0000 (In reply to comment #23) > All security supported arches done, glsa should be emitted combining this bug > with bug 182055 and bug 188172. I'd also bet on the outcome, but shouldn't there be a vote? py@gentoo.org 2007-09-08 23:18:32 0000 nope, not with B2 ;-) py@gentoo.org 2007-09-28 08:51:07 0000 GLSA 200709-17, thanks everybody and sorry for the delay. hkmaly@bigfoot.com 2007-10-01 08:28:29 0000 Isn't cstetex (last version - app-text/cstetex-2.0.2-r2) also affected by this bug ? rbu@gentoo.org 2007-10-21 22:46:34 0000 (In reply to comment #27) > Isn't cstetex (last version - app-text/cstetex-2.0.2-r2) also affected by this > bug ? Yes, thanks for reporting. See bug 196673.