Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2007-08-14 11:48:43 UTC

Created attachment 128039 [details, diff]
CVE-2007-3852.patch

Upstream patch that will be applied to the next release.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2007-08-14 11:51:29 UTC

jer, please advise and patch as necessary.

Comment 3 Jeroen Roovers (RETIRED) 2007-08-14 17:14:01 UTC

Which is the next release? Not the development branch (7.1*), I would think.

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) 2007-08-14 17:29:07 UTC

I'm not sure, but I guess the fix for the stable version is pretty close to the patch attached.

Comment 5 Jeroen Roovers (RETIRED) 2007-08-14 18:11:35 UTC

The patch doesn't apply to the stable 7.0*.
The patch does apply to the unstable 7.1*.

Sadly I cannot access the details of this CVE. I am changing the summary hoping to catch all vulnerable versions.

Comment 6 Jeroen Roovers (RETIRED) 2007-08-14 18:22:56 UTC

It seems the init.d script from upstream isn't even installed by our ebuild. Instead ${FILESDIR}/sysstat.init.d is installed, so currently we are not vulnerable at all.

I could change the ebuild to put the patched upstream init.d script in /usr/share/doc*, though. Then we'd have somewhat of a vulnerability! :)

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) 2007-08-21 06:13:50 UTC

Thx for the info Jeroen. I should have looked more closely before filing this.