First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 120224
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Carsten Lohrke <carlo@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 120224 depends on: Show dependency tree
Bug 120224 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-01-24 14:50 0000 
The following freshmeat information:

A security issue in the SYSLOG interface (POSIX module) and an OPEN/:APPEND
regression have been fixed. SAVEINITMEM can create standalone executables. 

and the ChangeLog:

* POSIX:SYSLOG no longer recognizes "%m" and other formatting instructions.
  For your safety and security, please do all formatting in Lisp.

are unfortunately both not specific about the vulnerability.

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-01-24 14:59:12 0000 ------- 
please provide fixed ebuilds, thx

------- Comment #2 From Matthew Kennedy (RETIRED) 2006-01-25 13:51:17 0000 ------- 
I just committed a new ebuild for clisp-2.38. Will we be issuing a GLSA?  I
think the security issue at hand is an unsafe function in CLISP POSIX package,
so my feeling is it is not necessary...

------- Comment #3 From Stefan Cornelius (RETIRED) 2006-01-25 14:01:58 0000 ------- 
ppc and x86, please mark stable.

Regarding a GLSA, I'm  not sure yet - I guess there will be a vote to decide
that after arches marked stable.

------- Comment #4 From Mark Loeser 2006-01-27 17:17:17 0000 ------- 
x86 done

------- Comment #5 From Tobias Scherbaum 2006-01-28 02:41:47 0000 ------- 
ppc stable

------- Comment #6 From Stefan Cornelius (RETIRED) 2006-01-28 06:29:18 0000 ------- 
lets have a glsa vote. perl had something similar and we issued a glsa back
then. Though i'd say no, C also has unsafe formatted printing functions and
nobody would "fix" them...

------- Comment #7 From Sune Kloppenborg Jeppesen 2006-02-06 12:26:46 0000 ------- 
I tend to vote YES.

------- Comment #8 From Thierry Carrez (RETIRED) 2006-02-07 10:19:18 0000 ------- 
I tend to vote no...

------- Comment #9 From Thierry Carrez (RETIRED) 2006-02-11 11:37:50 0000 ------- 
This is not really a security issue. It's a security improvement, that removes
some POSIX compatibility functions that would be unsafe if improperly used.

Correcting to full NO and closing, feel free to reopen if you disagree.
First Last Prev Next    No search results available      Search page      Enter new bug