Summary: | <media-libs/tiff-{3.9.7,4.0.3-r2} : Buffer overflow vulnerability (CVE-2012-4447) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | graphics+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 468334 | ||
Bug Blocks: |
Description
GLSAMaker/CVETool Bot
2012-10-29 18:58:06 UTC
(In reply to comment #0) > graphics: Is 4.0.3 ready for stabilization? yes, but does this affect 3.x series too? do note that 3.x doesn't install any of the tools, only the plain library .so which is why the security bug before this had no impact on 3.x for us. (In reply to comment #1) > (In reply to comment #0) > > graphics: Is 4.0.3 ready for stabilization? > > yes, but does this affect 3.x series too? it did, and is fixed in 3.9.7 in the old slot I was wrong. This is now fixed in 4.0.3-r2 with a upstream patch. Added to GLSA draft. @maintainers: cleanup please. (In reply to Chris Reffett from comment #4) > Added to GLSA draft. @maintainers: cleanup please. What cleanup is that? There isn't a single .ebuild of tiff in tree that we could remove. (In reply to Samuli Suominen from comment #5) > (In reply to Chris Reffett from comment #4) > > Added to GLSA draft. @maintainers: cleanup please. > > What cleanup is that? There isn't a single .ebuild of tiff in tree that we > could remove. 4.0.2-r1 ? It's stable only on m68k, we should proceed here somehow (In reply to Sergey Popov from comment #6) > (In reply to Samuli Suominen from comment #5) > > (In reply to Chris Reffett from comment #4) > > > Added to GLSA draft. @maintainers: cleanup please. > > > > What cleanup is that? There isn't a single .ebuild of tiff in tree that we > > could remove. > > 4.0.2-r1 ? It's stable only on m68k, we should proceed here somehow IIRC, m68k is not an security supported arch so security@ shouldn't care Okay then...guess we don't need cleanup. This issue was resolved and addressed in GLSA 201402-21 at http://security.gentoo.org/glsa/glsa-201402-21.xml by GLSA coordinator Chris Reffett (creffett). |