Summary: | <net-print/cups-1.4.8-r1: "gif_read_lzw()" Buffer Overflow Vulnerability (CVE-2011-3170) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | pruzinat |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/45796/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 380825 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2011-08-26 19:00:45 UTC
*cups-1.5.0-r1 (25 Aug 2011) *cups-1.4.8-r21 (25 Aug 2011) *cups-1.4.8-r1 (25 Aug 2011) 25 Aug 2011; Timo Gurr <tgurr@gentoo.org> -cups-1.4.6-r21.ebuild, -cups-1.4.8.ebuild, +cups-1.4.8-r1.ebuild, +cups-1.4.8-r21.ebuild, +files/cups-1.4.8-CVE-2011-2896.patch, -cups-1.5.0.ebuild, +cups-1.5.0-r1.ebuild: Revbumps fixing security issue CVE-2011-2896. Remove old. Note: CVE-2011-2896, although talking about cups, refers to SECUNIA:45621 (which is imho exactly the same issue for gimp). net-print/cups-1.4.8-r1 stablerequest filed *** Bug 380825 has been marked as a duplicate of this bug. *** This particular patch is CVE-2011-3170. The -2896 patch was not sufficient to fix the issue in cups, thus this patch was needed. Please fix the naming in CVS. After that, we'll call arches in *this* bug, as usual. Arches, please test and mark stable: =net-print/cups-1.4.8-r1 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86" Multiple compile test ok. No hw to test. amd64 ok Archtested 1.4.8-r1 on amd64 (printing over wifi, administration interface, queues, jobs etc). All ok. x86 stable ppc/ppc64 stable + 28 Aug 2011; Tony Vroon <chainsaw@gentoo.org> cups-1.4.8-r1.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & + Tomáš "Mepho" Pružina in security bug #380771. Stable for HPPA. alpha/arm/ia64/m68k/s390/sh/sparc Thanks, everyone. Added to existing GLSA request. No vulnerable version in the tree anymore. This issue was resolved and addressed in GLSA 201207-10 at http://security.gentoo.org/glsa/glsa-201207-10.xml by GLSA coordinator Sean Amoss (ackle). |