CVE-2007-6703 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6703): Unspecified vulnerability in vdccm before 0.10.1 in SynCE (SynCE-dccm) might allow attackers to cause a denial of service via unspecified vectors. CVE-2008-1136 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1136): The Utils::runScripts function in src/utils.cpp in vdccm 0.92 through 0.10.0 in SynCE (SynCE-dccm) allows remote attackers to execute arbitrary commands via shell metacharacters in a certain string to TCP port 5679.
We do not have >=0.9.2 in the tree, so CVE-2008-1136 should not affect us. However, CVE-2007-6703 might still be a valid problem. pda herd, is this ebuild still maintained?
pda herd, ping.
(In reply to comment #2) > pda herd, ping. > any news here?
SynCE ebuilds are maintained in an overlay. See #178807. I'm trying to get it in the tree :)
next step is to stabilize synce* 0.12, so we can remove those unsecure packages
is synce-dccm replaced by another package in synce 0.12? Since we waited half a year on this bug already, I don't think we need 0.12 stable right now, how does a two week window of trying it in ~arch sound?
yes. now it's called synce-odccm. actually we have version 0.11.1 and 0.12, which are currently in ~arch
I would prefer to see synce-hal instead of any *dccm as this is the direction $UPSTREAM is going. IANADev but I'm happy for a short stabilisation given the amount of time it spent in the overlay.
Ian/Federico, can you please point out an exact list of stable targets for synce? Then I'll add arches to CC on this bug. Furthermore, is the fact that the Gentoo PDA guide is not yet finished a blocker for stabilization?
ping, Ian and Federico, please look at the previous comment.
ping?
hmm, where was I? The only arches I know SynCE is regularly used on is x86 and amd64. There are some bsd'ers but don't think they use Gentoo... Is that enough?
With stable targets I meant which ebuilds (package names, versions) to go stable.
Adjusting whiteboard severity because of remote code execution (CVE-2008-1136). Changing whiteboard state to ebuild, as I don't see an ebuild in the tree. *ping* to pda herd!
*ping* Please bump, then let us close this.
OK, what exactly needs to be done here? synce-dccm could probably be removed but I can't remember if it's needed for 2003 or earlier devices. synce-hal or synce-odccm definitely obsolete it. PS, what pda herd? :p
OK, the original bug was about vdccm which is no longer in the tree nor supported by SynCE. It's successors synce-odccm and synce-hal are well past these affected versions. erg this bug can be closed. After all this isn't a stabilisation bug, just a vulnerability one. :)
synce-dccm is no longer in portage (pending on bug 340007 for reinclusion). and because it's been fixed upstream, if this is ever going to be restored, it'll be fixed feel free to close this bug as you see fit
Package was never stable. Closing noglsa.Closing noglsa.