Bug 165837 - dev-libs/STLport < 5.0.3 (?) two buffer overflows (CVE-2007-0803)
|
Bug#:
165837
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: aetius@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://sourceforge.net/project/shownotes.php?release_id=483468
|
|
Summary: dev-libs/STLport < 5.0.3 (?) two buffer overflows (CVE-2007-0803)
|
|
Keywords:
|
|
Status Whiteboard: B2 [glsa] Falco
|
|
Opened: 2007-02-07 21:45 0000
|
http://secunia.com/advisories/24024/
Secunia says that these are present in versions < 5.0.3, but it is not at all
clear if they include the 4.6 series in that statement. Bumping to 5.0.3 looks
to be the ticket.
"unspecified vectors". I hate that. Is it hard to upgrade from 4.6 to 5.0 and
to stabilize 5.0 ?
Short answer from upstream whether 4.6 is affected: "Not supported and has many
bugs."
So, since STLPort-5.1 needs gcc-4* and sparc doesn't have that one yet, the
only upgrade path leads to 5.0.3. Which is now in the tree.
(In reply to comment #2)
> So, since STLPort-5.1 needs gcc-4* and sparc doesn't have that one yet, the
> only upgrade path leads to 5.0.3. Which is now in the tree.
>
Thanks Tiziano
Hi arches, please test and mark stable STLport-5.0.3 if appropriate, thanks.
Doesn't seem to build without boost:
sparc-unknown-linux-gnu-g++ -pthread -fexceptions -fident -fPIC
-fuse-cxa-atexit -mcpu=ultrasparc -mtune=ultrasparc -O2 -pipe
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
-D_STLP_REAL_LOCALE_IMPLEMENTED -D_GNU_SOURCE -I../../stlport -c -o
obj/gcc/shared/num_put_float.o ../../src/num_put_float.cpp
In file included from ../../stlport/cmath:103,
from ../../src/num_put_float.cpp:84:
../../stlport/stl/_cmath.h: In function `long double abs(long double)':
../../stlport/stl/_cmath.h:229: error: `::fabsl' has not been declared
../../stlport/stl/_cmath.h: In function `long double acos(long double)':
../../stlport/stl/_cmath.h:234: error: `::acosl' has not been declared
../../stlport/stl/_cmath.h: In function `long double asin(long double)':
../../stlport/stl/_cmath.h:235: error: `::asinl' has not been declared
../../stlport/stl/_cmath.h: In function `long double atan(long double)':
../../stlport/stl/_cmath.h:236: error: `::atanl' has not been declared
../../stlport/stl/_cmath.h: In function `long double atan2(long double, long
double)':
../../stlport/stl/_cmath.h:237: error: `::atan2l' has not been declared
../../stlport/stl/_cmath.h: In function `long double ceil(long double)':
../../stlport/stl/_cmath.h:238: error: `::ceill' has not been declared
../../stlport/stl/_cmath.h: In function `long double cos(long double)':
../../stlport/stl/_cmath.h:239: error: `::cosl' has not been declared
../../stlport/stl/_cmath.h: In function `long double cosh(long double)':
../../stlport/stl/_cmath.h:240: error: `::coshl' has not been declared
../../stlport/stl/_cmath.h: In function `long double exp(long double)':
../../stlport/stl/_cmath.h:241: error: `::expl' has not been declared
../../stlport/stl/_cmath.h: In function `long double fabs(long double)':
../../stlport/stl/_cmath.h:242: error: `::fabsl' has not been declared
../../stlport/stl/_cmath.h: In function `long double floor(long double)':
../../stlport/stl/_cmath.h:243: error: `::floorl' has not been declared
../../stlport/stl/_cmath.h: In function `long double fmod(long double, long
double)':
../../stlport/stl/_cmath.h:244: error: `::fmodl' has not been declared
../../stlport/stl/_cmath.h: In function `long double frexp(long double, int*)':
../../stlport/stl/_cmath.h:245: error: `::frexpl' has not been declared
../../stlport/stl/_cmath.h: In function `long double ldexp(long double, int)':
../../stlport/stl/_cmath.h:247: error: `::ldexpl' has not been declared
../../stlport/stl/_cmath.h: In function `long double log(long double)':
../../stlport/stl/_cmath.h:248: error: `::logl' has not been declared
../../stlport/stl/_cmath.h: In function `long double log10(long double)':
../../stlport/stl/_cmath.h:249: error: `::log10l' has not been declared
../../stlport/stl/_cmath.h: In function `long double modf(long double, long
double*)':
../../stlport/stl/_cmath.h:250: error: `::modfl' has not been declared
../../stlport/stl/_cmath.h: In function `long double pow(long double, long
double)':
../../stlport/stl/_cmath.h:282: error: `::powl' has not been declared
../../stlport/stl/_cmath.h: In function `long double pow(long double, int)':
../../stlport/stl/_cmath.h:302: error: `::powl' has not been declared
../../stlport/stl/_cmath.h: In function `long double sin(long double)':
../../stlport/stl/_cmath.h:324: error: `::sinl' has not been declared
../../stlport/stl/_cmath.h: In function `long double sinh(long double)':
../../stlport/stl/_cmath.h:325: error: `::sinhl' has not been declared
../../stlport/stl/_cmath.h: In function `long double sqrt(long double)':
../../stlport/stl/_cmath.h:326: error: `::sqrtl' has not been declared
../../stlport/stl/_cmath.h: In function `long double tan(long double)':
../../stlport/stl/_cmath.h:327: error: `::tanl' has not been declared
../../stlport/stl/_cmath.h: In function `long double tanh(long double)':
../../stlport/stl/_cmath.h:328: error: `::tanhl' has not been declared
../../stlport/stl/_cmath.h: In function `long double hypot(long double, long
double)':
../../stlport/stl/_cmath.h:342: error: `::hypotl' has not been declared
make: *** [obj/gcc/shared/num_put_float.o] Error 1
make: Leaving directory
`/var/tmp/portage/STLport-5.0.3/work/STLport-5.0.3/build/lib'
!!! ERROR: dev-libs/STLport-5.0.3 failed.
Call stack:
ebuild.sh, line 1546: Called dyn_compile
ebuild.sh, line 937: Called src_compile
STLport-5.0.3.ebuild, line 80: Called die
!!! Compile failed
!!! If you need support, post the topmost build error, and the call stack if
relevant.
Doesn't build on ppc:
>>> Compiling source in /var/tmp/portage/STLport-5.0.3/work/STLport-5.0.3 ...
make: Entering directory
`/var/tmp/portage/STLport-5.0.3/work/STLport-5.0.3/build/lib'
In file included from ../../src/stlport_prefix.h:20,
from ../../src/dll_main.cpp:29:
../../stlport/stl/_config.h:179:6: error: #error "can't determine endianess"
ppc will have to stabilize 5.1, a number of ppc bugs including the one
dertobi123 mentioned are fixed in 5.1.
STLport-5.1.0 stable on ppc64
/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.1/../../../../x86_64-pc-linux-gnu/bin/ld:
obj/gcc/so/dll_main.o: relocation R_X86_64_32 against
`stlp_std::_Atomic_swap_struct<1>::_S_swap_lock' can not be used when making a
shared object; recompile with -fPIC
obj/gcc/so/dll_main.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make: *** [obj/gcc/so/libstlport.so.5.1.0] Error 1
make: Leaving directory
`/var/tmp/portage/dev-libs/STLport-5.1.0/work/STLport-5.1.0/build/lib'
!!! ERROR: dev-libs/STLport-5.1.0 failed.
Call stack:
ebuild.sh, line 1614: Called dyn_compile
ebuild.sh, line 971: Called qa_call 'src_compile'
environment, line 3531: Called src_compile
STLport-5.1.0.ebuild, line 80: Called die
!!! Compile failed
!!! If you need support, post the topmost build error, and the call stack if
relevant.
!!! A complete build log is located at
'/var/tmp/portage/dev-libs/STLport-5.1.0/temp/build.log'.
Portage 2.1.2-r9 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.4-r3,
2.6.18-gentoo-r6 x86_64)
=================================================================
System uname: 2.6.18-gentoo-r6 x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.1
Timestamp of tree: Wed, 14 Feb 2007 09:50:01 +0000
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python: 2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -pipe -O2"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/terminfo"
CXXFLAGS="-march=athlon64 -pipe -O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="ftp://gentoo.po.opole.pl/"
LINGUAS="pl"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac alsa amd64 arts berkdb bitmap-fonts cdr cli cracklib crypt cups
dbus dlloader dri dvd dvdr firefox fortran gdbm gif gpm gtk gtk2 hal iconv ipv6
isdnlog java jpeg kde libg++ midi mp3 mpeg mplayer ncurses nls nptl nptlonly
ogg opengl oss pam pcre pdf perl png ppds pppd python qt3 readline reflection
samba session sndfile spl ssl tcl tcltk tcpd tk truetype truetype-fonts
type1-fonts unicode usb vcd xine xorg xvid zlib" ALSA_CARDS="hda-intel"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" LINGUAS="pl" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Olaf: Please file a new bug since yours is a different issue (STLport-5.1.0 vs
STLport-5.0.3).
@ppc, @sparc: I added patches for your archs (to hopefully solve the issues you
mentioned), please re-test. Thanks!
GLSA 200703-07
thanks everyone
