Bugzilla Bug 133829

Very large number of buffer overflows exist in cscope <=15.5.  Most deal with
user controlled factors (enviorment variables, filenames), but theoretically,
if someone inserted a carefully managed a #include statement on a largely
distributed source (the kernel, firefox, open office, etc), they could overflow
the buffer on a large number of computers.

vim or emacs herd, please check if we are really vulnerable (seems to be an old
problem) and provide fixed ebuilds in case that we are, thank you.

vim/emacs teams: please advise

Can you provide a pointer to the list of vulnerabilities?  I'm not sure what
you're asking -- do you want us to do a code audit?

No, was asking if you could provide some insight on that problem, like if you
know about a patch or a new version that we could bump to. 

The closest thing we have to a patch would be in :
http://www.us.debian.org/security/2006/dsa-1064

It is my opinion that our port is vulnerable.  cscope-15.5-r5.ebuild includes
several patches but none of them address the 30+ potential buffer overflows the
debian patch at
http://security.debian.org/pool/updates/main/c/cscope/cscope_15.5-1.1sarge1.diff.gz
addresses.

mkennedy, since you are in the emacs herd and said that we are probably
vulnerable, could you please provide a fixed revbump?

revbumped to cscope-5.15-r6.ebuild w/ the following:

src_unpack() {
        unpack ${A}

        # ~30 buffer overflows fix: Gentoo Bug #133829, patch developed by
        # the Debian Security Team (thanks to those guys), CVE-2004-2541,
        # Moritz Muehlenhoff.  The Debian patch also includes the tempfile
        # fix (previously ${PN}-${PV}-tempfile.patch)
        epatch ${P}-debian-security.patch

arches please test and stable cscope-5.15-r6, thanks

cscope-15.5-r6 stable on ppc64

alpha stable.

ppc stable

amd64 stable.

sparc stable.

x86 done *~_~*

stable on hppa

GLSA 200606-10

arm, ia64, mips, s390 don't forget to mark stable to benifit from the GLSA.