Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 366697 (CVE-2011-0904)

Summary: <net-misc/vino-2.32.2: Denial of Service Vulnerabilities (CVE-2011-{0904,0905})
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: alexanderyt, gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-05-10 04:49:42 UTC 
There are two DoS vulnerabilities in vino crashed by invalid framebuffer requests. The upstream bugs appear to be:

https://bugzilla.gnome.org/show_bug.cgi?id=641802 (CVE-2011-0904)
https://bugzilla.gnome.org/show_bug.cgi?id=641803 (CVE-2011-0905, private)
Comment 1 Gilles Dartiguelongue (RETIRED) gentoo-dev 2011-05-10 06:49:53 UTC 
IIRC that's what the 2.32.2 release was for and it already is in tree. Unless there's something more we are good to go.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-05-14 20:52:57 UTC 
(In reply to comment #1)
> IIRC that's what the 2.32.2 release was for and it already is in tree. Unless
> there's something more we are good to go.

Ok, I am a little confused. https://bugzilla.gnome.org/show_bug.cgi?id=641802#c10 says this is fixed in a 2.32.3 version, but comparing the fix at http://bugzilla-attachments.gnome.org/attachment.cgi?id=186688 to the source from our 2.32.2 we look to include the fixed code.

Alright, can we stabilize =net-misc/vino-2.32.2?
Comment 3 Nirbheek Chauhan (RETIRED) gentoo-dev 2011-05-14 21:11:04 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > IIRC that's what the 2.32.2 release was for and it already is in tree. Unless
> > there's something more we are good to go.
> 
> Ok, I am a little confused.
> https://bugzilla.gnome.org/show_bug.cgi?id=641802#c10 says this is fixed in a
> 2.32.3 version, but comparing the fix at
> http://bugzilla-attachments.gnome.org/attachment.cgi?id=186688 to the source
> from our 2.32.2 we look to include the fixed code.
> 
> Alright, can we stabilize =net-misc/vino-2.32.2?

Latest is 2.32.2[1]. That should be stabilized.


1. http://ftp.acc.umu.se/pub/GNOME/sources/vino/2.32/
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-05-14 21:14:03 UTC 
(In reply to comment #3)
> 
> Latest is 2.32.2[1]. That should be stabilized.
> 

Cool, thanks.

Arches, please test and mark stable:
=net-misc/vino-2.32.2
Target keywords : "alpha amd64 arm ia64 ppc ppc64 sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2011-05-15 00:50:56 UTC 
amd64 ok
Comment 6 Christoph Mende (RETIRED) gentoo-dev 2011-05-15 07:52:08 UTC 
amd64 stable
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-15 14:17:41 UTC 
ppc/ppc64 stable
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-15 16:20:29 UTC 
x86 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-05-21 16:04:24 UTC 
alpha/arm/ia64/sparc stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-05-23 02:36:17 UTC 
Thanks, everyone. GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:37:49 UTC 
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).