Summary: | <app-misc/hivex-1.3.11: DOS when accessing invalid registry hives (CVE-2014-9273) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Anton Bolshakov <anton.bugs> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | andreis.vinogradovs, maksbotan, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2014/q4/787 | ||
Whiteboard: | C2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Anton Bolshakov
2013-11-11 06:00:35 UTC
need to convert python eclass to python-r1 [1] also python-2.6 is deprecated, and is removed from portage tree [1] http://wiki.gentoo.org/wiki/Python-r1 http://wiki.gentoo.org/wiki/Project:Python/Eclasses first test ebuild ( temporarily to the old еclass ) https://code.google.com/p/rion-overlay/source/browse/app-misc/hivex/hivex-1.3.11.ebuild Please note that this is a security update: http://seclists.org/oss-sec/2014/q4/787 hanno, thank you setting this as a security bug, and whiteboard. CVS Request as per URL provided for OSS. *** Bug 530734 has been marked as a duplicate of this bug. *** app-misc/hivex-1.3.11 in tree Maintainer(s): Please let us know when the ebuild is ready for stabilization, or call for stabilization. CVE-2014-9273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9273): lib/handle.c in Hivex before 1.3.11 allows local users to execute arbitrary code and gain privileges via a small hive files, which triggers an out-of-bounds read or write. It has been 30 days in the tree so far no objections from maintainer. Calling for stabilization. Arches, please test and mark stable: =app-misc/hivex-1.3.11 Target Keywords : "amd64" Thank you! amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed. Cleanup is done This issue was resolved and addressed in GLSA 201503-07 at https://security.gentoo.org/glsa/201503-07 by GLSA coordinator Kristian Fiskerstrand (K_F). |