Bug 120224 - dev-lisp/clisp-2.38 fixes security issue
|
Bug#:
120224
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: carlo@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: dev-lisp/clisp-2.38 fixes security issue
|
|
Keywords:
|
|
Status Whiteboard: ? [noglsa] DerCorny
|
|
Opened: 2006-01-24 14:50 0000
|
The following freshmeat information:
A security issue in the SYSLOG interface (POSIX module) and an OPEN/:APPEND
regression have been fixed. SAVEINITMEM can create standalone executables.
and the ChangeLog:
* POSIX:SYSLOG no longer recognizes "%m" and other formatting instructions.
For your safety and security, please do all formatting in Lisp.
are unfortunately both not specific about the vulnerability.
please provide fixed ebuilds, thx
I just committed a new ebuild for clisp-2.38. Will we be issuing a GLSA? I
think the security issue at hand is an unsafe function in CLISP POSIX package,
so my feeling is it is not necessary...
ppc and x86, please mark stable.
Regarding a GLSA, I'm not sure yet - I guess there will be a vote to decide
that after arches marked stable.
lets have a glsa vote. perl had something similar and we issued a glsa back
then. Though i'd say no, C also has unsafe formatted printing functions and
nobody would "fix" them...
This is not really a security issue. It's a security improvement, that removes
some POSIX compatibility functions that would be unsafe if improperly used.
Correcting to full NO and closing, feel free to reopen if you disagree.
