It should define HAVE_BZLIB and use -lbz2 instead than its own version.
This could be vulnerable to GLSA 200804-02.
I fixed that in app-admin/analog-6.0-r{2,3}. Only -r2 should go stable because the -r3 is EAPI=2.
it was shipping 1.0.2, 30-Dec-2001
I was thinking of a scenario where log file input to analog is not trusted, but I noticed the /var/log/apache2 directory is writable for the apache user. So an attacker could place a CGI script and have the web server execute it, writing a crafted log file there. Other ideas?
Arches, please test and mark stable: =app-admin/analog-6.0-r2 Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86"
On sparc: 1) It does use -lbz2, but it also seems to use its internal version; 2) More seriously, it does not build at all: ======================== make[1]: Leaving directory `/var/tmp/portage/app-admin/analog-6.0-r2/work/analog-6.0/src/zlib' sparc-unknown-linux-gnu-gcc -O2 -mcpu=ultrasparc3 -pipe -o ../analog alias.o analog.o cache.o dates.o globals.o hash.o init.o init2.o input.o macinput.o macstuff.o output.o output2.o outcro.o outhtml.o outlatex.o outplain.o outxhtml.o outxml.o process.o settings.o sort.o tree.o utils.o win32.o libgd/gd.o libgd/gd_io.o libgd/gd_io_file.o libgd/gd_png.o libgd/gdfontf.o libgd/gdfonts.o libgd/gdtables.o libpng/png.o libpng/pngerror.o libpng/pngmem.o libpng/pngset.o libpng/pngtrans.o libpng/pngwio.o libpng/pngwrite.o libpng/pngwtran.o libpng/pngwutil.o pcre/pcre.o zlib/adler32.o zlib/compress.o zlib/crc32.o zlib/deflate.o zlib/gzio.o zlib/infblock.o zlib/infcodes.o zlib/inffast.o zlib/inflate.o zlib/inftrees.o zlib/infutil.o zlib/trees.o zlib/uncompr.o zlib/zutil.o unzip/ioapi.o unzip/unzip.o bzip2/bzlib.o bzip2/blocksort.o bzip2/compress.o bzip2/crctable.o bzip2/decompress.o bzip2/huffman.o bzip2/randtable.o -lgd -lz -lbz2 -lpcre -lm -lpng -ljpeg >>> Source compiled. >>> Test phase [none]: app-admin/analog-6.0-r2 >>> Install analog-6.0-r2 into /var/tmp/portage/app-admin/analog-6.0-r2/image/ category app-admin !!! dobin: analog does not exist * * ERROR: app-admin/analog-6.0-r2 failed. * Call stack: * ebuild.sh, line 49: Called src_install * environment, line 2140: Called die * The specific snippet of code: * dobin analog || die "dobin failed"; * The die message: * dobin failed ============================
As a cross-check, I note that on amd64 I see the identical failure.
ppc64 same too.... it's looking for the 'analog' executable in the src/ dir but it is actually one dir up in my case.
un-cc'ing arches then.
Oh darn. I seem to have believed the Makefile comments. I should patch those too, I guess. :) I am changing the Makefile patch to not build or link to the bzip2/ objects.
I fixed the patch and the ebuilds. OMG, is another revbump in order now?
Now good on sparc. Sparc stable.
Stable for HPPA.
ppc64 done
amd64/x86 stable
ppc stable
Stable on alpha.
GLSA request filed.
GLSA 200903-40