Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

http://secunia.com/advisories/24225/

Apparently a typical symlink attack.  Secunia says local privilege escalation -
I have a hard time seeing that, but local user exploitation might be useful. 
Fix is to update to 2.0.5 (their current stable).  I'll try to have a look at
the exact vulnerability if I get a chance tomorrow.

setting status.

Ok 2.0.5 is in the tree, thanks seemant & dsd.  Arches, please stabilize 2.0.5
.

This new version of gnucash pulls in these:
dev-scheme/guile-1.8.1-r3
dev-scheme/slib-3.1.1-r1
dev-libs/g-wrap-1.9.6-r3

most worrying is dev-scheme/guile-1.8.1-r3 which was added to the tree today..
I'm not very convertable with the idea of stabilizing it. Would it be possible
to make an ebuild that depends on guile-1.6 (like there is for gnucash-2.0.4)

(In reply to comment #3)
> most worrying is dev-scheme/guile-1.8.1-r3 which was added to the tree today..
> I'm not very convertable with the idea of stabilizing it. Would it be possible
> to make an ebuild that depends on guile-1.6 (like there is for gnucash-2.0.4)
> 

Then stabilize -r1 (which has been in the tree since Jan 25th), as
gnucash-2.0.5 wants >=dev-scheme/guile-1.8.

For g-wrap, I would go with 1.9.6-r1, because since then, hkBst started
breaking ChangeLog format badly, which makes me uncomfortable.

For slib, x86 will stay with 3.1.1, which is currently marked stable, unless
suggested otherwise by maintainers or security.

I'm off to test now.

(In reply to comment #4)

I synced the tree again, and...

> Then stabilize -r1 (which has been in the tree since Jan 25th), as
> gnucash-2.0.5 wants >=dev-scheme/guile-1.8.

Gah, -r1 no longer in the tree.

> For g-wrap, I would go with 1.9.6-r1, because since then, hkBst started
> breaking ChangeLog format badly, which makes me uncomfortable.

Same here, only -r3 available, in the tree for 2 days.

> For slib, x86 will stay with 3.1.1, which is currently marked stable, unless
> suggested otherwise by maintainers or security.

At least this still stands.

So, I'm joining Oliver in his worries about too new packages.

(In reply to comment #3)
> This new version of gnucash pulls in these:
> dev-scheme/guile-1.8.1-r3
there are still a few open bugs which are easy to fix by adding use flag
checking for "deprecated" and for beast and geda depending on guile-1.6*.
All this stuff has been detected because guile-1.8.1 has been in the tree since
22 Jan 2007. Tests still fail though.

> dev-scheme/slib-3.1.1-r1
no reason not to stable. It installs some more files than slib-3.1.1 does, so
it works with guile-1.6.8 also. 

> dev-libs/g-wrap-1.9.6-r3
The bug where reinstalling g-wrap broke it was only recently fixed. I've
removed all versions which suffered from this. Tests still fail, probably
because of missing guile lib. Gnucash is the only package depending on g-wrap.
G-wrap has been in the tree since 19 Jan 2007.

g-wrap:

 * QA Notice: The following files contain executable stacks
 *  Files with executable stacks will not work properly (or at all!)
 *  on some architectures/operating systems.  A bug should be filed
 *  at http://bugs.gentoo.org/ to make sure the file is fixed.
 *  For more information, see http://hardened.gentoo.org/gnu-stack.xml
 *  Please include this file in your report:
 *  /var/tmp/portage/dev-libs/g-wrap-1.9.6-r3/temp/scanelf-execstack.log
 * RWX --- --- usr/lib/libffi.so.4.0.1

gnucash:

grep: /usr/lib/libguile-ltdl.la: No such file or directory
/bin/sed: can't read /usr/lib/libguile-ltdl.la: No such file or directory
libtool: link: `/usr/lib/libguile-ltdl.la' is not a valid libtool archive
make[4]: *** [libgw-core-utils.la] Error 1
make[4]: Leaving directory
`/var/tmp/portage/app-office/gnucash-2.0.5/work/gnucash-2.0.5/src/core-utils'
make[3]: *** [all] Error 2
make[3]: Leaving directory
`/var/tmp/portage/app-office/gnucash-2.0.5/work/gnucash-2.0.5/src/core-utils'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory
`/var/tmp/portage/app-office/gnucash-2.0.5/work/gnucash-2.0.5/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory
`/var/tmp/portage/app-office/gnucash-2.0.5/work/gnucash-2.0.5'
make: *** [all] Error 2

!!! ERROR: app-office/gnucash-2.0.5 failed.
Call stack:
  ebuild.sh, line 1614:   Called dyn_compile
  ebuild.sh, line 971:   Called qa_call 'src_compile'
  environment, line 3517:   Called src_compile
  gnucash-2.0.5.ebuild, line 83:   Called die


[ebuild   R   ] dev-scheme/guile-1.8.1-r3  USE="deprecated discouraged elisp
networking nls regex threads -debug -debug-freelist -debug-malloc" 0 kB 
[ebuild  N    ] app-office/gnucash-2.0.5  USE="chipcard doc hbci nls ofx quotes
-debug" 0 kB 

on x86 (and most likely any other arch):

"
# emerge -av =app-office/gnucash-2.0.5

These are the packages that would be merged, in order:

Calculating dependencies \
!!! Multiple versions within a single package slot have been 
!!! pulled into the dependency graph:

('ebuild', '/', 'dev-scheme/guile-1.6.7', 'merge') pulled in by
  ('ebuild', '/', 'dev-scheme/slib-3.1.1', 'merge')

('ebuild', '/', 'dev-scheme/guile-1.8.1-r3', 'merge') pulled in by
  ('ebuild', '/', 'dev-libs/g-wrap-1.9.6-r3', 'merge')

[...]
"
make sure that you don't have dev-scheme/guile installed when trying to
reproduce.

Portage 2.1.2.2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0,
2.6.19-gentoo-r5 i686)
=================================================================
System uname: 2.6.19-gentoo-r5 i686 AMD Athlon(tm) XP 2400+
Gentoo Base System release 1.12.9
Timestamp of tree: Sun, 11 Mar 2007 18:50:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[disabled]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-xp -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-march=athlon-xp -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox
sfperms strict"
GENTOO_MIRRORS="http://gentoo.ynet.sk/pub "
LANG="en_US.utf8"
LC_ALL="en_US.utf8"
LINGUAS="en de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://192.168.0.1/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acpi aiglx alsa audiofile avahi beagle berkdb
bitmap-fonts bzip2 cairo cdr cli cracklib crypt css cups dbus dlloader dri dvd
dvdr dvdread eds emboss encode evo exif fam fbcon ffmpeg firefox flac fortran
gdbm gif ginac gmp gnome gnutls gphoto2 gpm gstreamer gtk gtk2 hal iconv icq
ipod ipv6 isdnlog java javascript jpeg jpeg2k lcms ldap libg++ mad midi mikmod
mime mmx mmxext mono mozsvg mp3 mpeg msn nautilus ncurses nfs nls nptl nptlonly
nsplugin nvidia offensive ogg oggvorbis opengl pam pcre pdf perl plotutils png
posix ppds pppd python qt3 qt4 quicktime readline real reflection ruby sdl
session sockets spell spl sqlite3 sse ssl subtitles svg tcpd tetex theora
threads tiff truetype truetype-fonts type1-fonts unicode usb vcd vorbis
win32codecs wma x86 xine xml xorg xv xvid zlib" ELIBC="glibc"
INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de" USERLAND="GNU"
VIDEO_CARDS="nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_COMPRESS,
PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Created an attachment (id=113206) [details]
patch against 2.0.5 ebuild

I was able to compile with the following changes to gnucash-2.0.5.ebuild:

 RDEPEND=">=dev-libs/glib-2.4.0
-       >=dev-scheme/guile-1.8
-       =dev-scheme/slib-3.1.1*
+       ~dev-scheme/guile-1.6.8
+       =dev-scheme/slib-3.1.1-r1
        >=sys-libs/zlib-1.1.4
        >=dev-libs/popt-1.5
        >=x11-libs/gtk+-2.4
@@ -54,9 +54,9 @@
 pkg_setup() {
        built_with_use gnome-extra/libgsf gnome || die "gnome-extra/libgsf must
be built with gnome"
        built_with_use x11-libs/goffice gnome || die "x11-libs/goffice must be
built with gnome"
-       if ! built_with_use dev-scheme/guile regex deprecated discouraged; then
-               die "dev-scheme/guile must be built with USE=\"regex deprecated
discouraged\""
-       fi
+#      if ! built_with_use dev-scheme/guile regex deprecated discouraged; then
+#              die "dev-scheme/guile must be built with USE=\"regex deprecated
discouraged\""
+#      fi

Created an attachment (id=113207) [details]
patched gnucash-2.0.5.ebuild

I had to re-emerge g-wrap after downgrading guile to make gnucash not fail to
compile.

Also please don't check for discouraged flag when checking for deprecated flag
already. It is implied.

Also adding gnome-office, as they are in metadata.xml, too

With hkbst's changes it emerges and works.

(In reply to comment #7)
> gnucash:
> 
> grep: /usr/lib/libguile-ltdl.la: No such file or directory
> /bin/sed: can't read /usr/lib/libguile-ltdl.la: No such file or directory
> libtool: link: `/usr/lib/libguile-ltdl.la' is not a valid libtool archive

Since gnucash-2.0.5 is already in testing I take it not everybody is getting
this. Is that correct?

I've created bug 171603 for my compile issues.

Sorry, but could I get a definitive list of what we should be doing here so we
can move on this?

Thanks

(In reply to comment #15)
> Sorry, but could I get a definitive list of what we should be doing here so we
> can move on this?

+1

Also the ~ppc keyword (and alpha/ia64 ones ...)  has been dropped in
>=gnucash-2.0.4. Has it been dropped just by mistake or is there any reason for
it?

Ok, according to my understanding we need ppc, x86 and sparc to mark stable
(see Status Whiteboard). If that is not possible we'll go back to ebuild status
and ask maintainers for input.

Arches is it possible for you to mark stable?

(In reply to comment #17)
> Arches is it possible for you to mark stable?

 Not as long as guile 1.8 is requested by gnucash 2.0.5, as it fails with that
on my system (see comment #7, but not with 1.6*) and version 1.8 has more
issues with several other programs.

(In reply to comment #16)
> Also the ~ppc keyword (and alpha/ia64 ones ...)  has been dropped in
> >=gnucash-2.0.4. Has it been dropped just by mistake or is there any reason for
> it?

they've been dropped pending g-wrap rekeywording.

(In reply to comment #18)
> on my system (see comment #7, but not with 1.6*) and version 1.8 has more
> issues with several other programs.

Christian, try re-emerging g-wrap.

So hummm, what do we have to do here?

on x86:

after several interruptions due dependencies on particular USE flags and failed
tests (see bug 163894, bug 164266) i was able to merge:

app-office/gnucash-2.0.5  USE="nls -chipcard -debug -doc -hbci -ofx -quotes" 

with

dev-libs/g-wrap-1.9.6-r3  
dev-scheme/guile-1.8.1-r3  USE="deprecated discouraged nls regex threads -debug
-debug-freelist -debug-malloc -elisp -networking"

to be honest, i expected gnucash to immediately die with some sort of fatal
error, and was quite a bit surprised as this didn't happen, but i was
introduced to a rather big application, with a nice looking gui, that contained
lot's of buttons and menus i've no clue about. as i have never worked with a
similar application before, don't own a bank or do some fancy stock market
stuff, i couldn't do more, then verify that i'm not able to crash the program
with my unguided mouse clicks ;-)

Back to ebuild status to get an ebuild arches can mark stable.

Seemant/gnome-office it is possible to backport the fix to our latest stable
version?

So after rebuilding the dependencies correctly, gnucash 2.0.5 works on my
system with guile 1.8.  hkbst, could guile 1.8 go stable instead of backporting
the patch?

(In reply to comment #24)
> So after rebuilding the dependencies correctly, gnucash 2.0.5 works on my
> system with guile 1.8.  hkbst, could guile 1.8 go stable instead of backporting
> the patch?

My statements in comment #6 are still valid. I think it would be better to make
gnucash also accept guile-1.6.8 and stabilize that version.

done, but slib needs to go stable first now

Thx Seemant.

Arches please test and mark stable. Target keywords are:

dev-scheme/slib-3.1.1.ebuild:KEYWORDS="alpha amd64 ia64 ppc sparc x86"

Or later revisions.

gnucash-2.0.5.ebuild:KEYWORDS="alpha amd64 ia64 ppc sparc x86"

I hope this covers everything.

!!! ERROR: app-office/gnucash-2.0.5 failed.
Call stack:
  ebuild.sh, line 1630:   Called dyn_setup
  ebuild.sh, line 702:   Called qa_call 'pkg_setup'
  ebuild.sh, line 38:   Called pkg_setup
  gnucash-2.0.5.ebuild, line 57:   Called built_with_use
'=dev-scheme/guile-1.8*' 'regex' 'deprecated' 'discouraged'
  eutils.eclass, line 1654:   Called die

!!! Unable to resolve =dev-scheme/guile-1.8* to an installed package
!!! If you need support, post the topmost build error, and the call stack if
relevant.
!!! A complete build log is located at
'/var/tmp/portage/app-office/gnucash-2.0.5/temp/build.log'.

 seemant, the USE flag check is b0rked now.  If I have guile 1.6 the check will

Back to ebuild again it seems.

Seemant please fix and readd arches.

I've taken the liberty to fix the guile use flag checking and changed the slib
dependency to a version that works with guile-1.6.8.

(In reply to comment #30)
> I've taken the liberty to fix the guile use flag checking and changed the slib
> dependency to a version that works with guile-1.6.8.

 Here we go again.

Great, then lets get arches rocking again.

x86 ends the endless odysee

sparc stable.

gnucash-2.0.5 ~ppc'd for now, i'll mark it stable in a few days or so. If we're
in a hurry I'm also fine with marking it stable right now as gnucash is working
as expected, just tell me what you want me to do :P (but as this is "only" B3 i
expect we have some time left for some testing efforts ..)

Tobias a few days is ok since we still need amd64 and alpha. Just post again on
this bug when you mark it stable.

(In reply to comment #36)
> Tobias a few days is ok since we still need amd64 and alpha. Just post again on
> this bug when you mark it stable.
> 

ppc stable

alpha/amd64 stable... can't get ia64 due to bug #162010 not being fixed just
yet

Thanks everyone - security, please vote for GLSA.

I vote no - it's a local issue, and I have a hard time seeing lots of people
running gnucash on a shared machine (although situations like LTSP would
exist).

voting no as well.

concur with no vote.

updating status.

ia64 doesn't want gnucash/g-wrap anymore. Feel free to remove the old version
of gnucash/g-wrap.

Vote no too and closing. Feel free to reopen if you disagree.