Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!

Full Text Bug Listing

Attaching patches in a moment.

Created an attachment (id=124945) [details]
270240.diff

Patch for issue reported by Tracey Parry of Portcullis Computer Security Ltd.

Created an attachment (id=124947) [details]
format-warnings.diff

Reported by Dirk Mueller.

Caleb please advise. Do NOT commit anything yet. Instead you can attach updated
ebuilds to this bug for prestable testing if needed.

both patches look mostly harmless to me.  99% of them just affect debugging
output, which shouldn't matter to anyone really.  The very last line on the
format-warning.diff seems to affect reverseable layouts, which might cause an
impact to someone who uses a right-to-left language, but I don't have any way
to test that particular feature.

In short: the patches look completely fine to me.

Thx Caleb. Do you want prestable arch testing or should we just wait until the
issues go public?

I don't see any fixes in here that would affect any arches at all, really, so I
think we're okay to wait.

also, since qt-4.3.0 is ready for a stablization request for the arches anyway,
we can just tie these patches with a normal stablization request.  I'm not sure
if these will work against the qt-4.2 series, but it may not be necessary to
even worry about that.

The initial report for CVE-2007-3388 said to affect qt-3 only. So I guess we're
going directly to stable on qt-3 once the release date is reached?

oh, didn't realize it was qt3 only.  in any case, no problem going straight to
stable with the patches.

Created an attachment (id=125619) [details]
qt_patch.diff

Upstream patch.

Caleb, did you see any public information about this yet? Disclosure date
should have been friday, I wonder wether it was postponed.

*** Bug 187465 has been marked as a duplicate of this bug. ***

this is public now, sorry for the delay.
Arches, please test and mark stable:
qt-3.3.8-r3  and qt-4.3.0-r1 (target "alpha amd64 hppa ia64 mips ppc ppc64
sparc x86 ~x86-fbsd"

ppc64 stable

How about updating the qt.eclass as well when you throw a new qt ebuild into
portage?

Currently I get circular dependency errors when updating world because 3.3.8-r3
is not listed in the QT3VERSIONS variable of qt.eclass...

Of course I mean qt3.eclass.

x86 stable and qt3.eclass has been fixed by carlo, thanks.

====amd64====

All looks good here. Building kdelibs against qt-3.3.8-r3 works fine.
Is there anything additional to test so that I know that the vulnerability
itself is fixed?

Portage 2.1.2.9 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.5-r4,
2.6.20-gentoo-r7 x86_64)
=================================================================
System uname: 2.6.20-gentoo-r7 x86_64 unknown
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 02 Aug 2007 19:01:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild
/etc/terminfo"
CXXFLAGS="-march=athlon64 -O2 -pipe"
DISTDIR="/distfiles"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict
sandbox sfperms strict test userpriv"
GENTOO_MIRRORS="http://mirrors.acm.cs.rpi.edu/gentoo/
http://distfiles.gentoo.org/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/overlay"
SYNC="rsync://kv80/gentoo-portage"
USE="X acl aiglx aim amd64 berkdb bitmap-fonts branding cli cracklib crypt cups
dri fortran gdbm gpm gtk iconv imap ipv6 isdnlog libg++ midi mmx mpeg3 mudflap
ncurses nls nptl nptlonly nvidia opengl openmp pam pcre perl pppd python qt3
readline reflection session sockets spl sqlite3 sse sse2 ssl tcpd test
truetype-fonts type1-fonts unicode vim xcomposite xine xorg zlib"
ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x
ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3
trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw
asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa
lfloat linear meter mulaw multi null plug rate route share shm softvol"
ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

/usr/portage/x11-libs/qt/qt-4.3.0-r1.ebuild: line 122:
epatch/usr/portage/x11-libs/qt/files/0185-fix-format-strings.diff: No such file
or directory

Try again.

Yeah, Bug 187552... No point in stabilizing this ATM, plus it will IMO require
another revbump because users silently failed to get the right patch for this
issue w/ 4.3.0-r1 :(

sparc stable.

Sorry for the typo guys, please do qt-3.3.8-r3 (if you didn't already) and
qt-4.3.0-r2.

ppc stable

alpha/ia64/x86 stable

sparc stable.

amd64 stable

Both stable for HPPA.

GLSA 200708-16, sorry for the delay