Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 271708 - =x11-libs/goffice-0.2.1 removal for GLSA 200801-19
Summary: =x11-libs/goffice-0.2.1 removal for GLSA 200801-19
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: GNOME Office (OBSOLETE)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 25383 glsa-removal
  Show dependency tree
 
Reported: 2009-05-29 13:40 UTC by Robert Buchholz (RETIRED)
Modified: 2009-07-31 23:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-05-29 13:40:53 UTC 
Please remove the following ebuilds as they are vulnerable to GLSA 200801-19
( http://www.gentoo.org/security/en/glsa/glsa-200801-19.xml ) :

=x11-libs/goffice-0.2.1


Note that other (unstable) atoms might be missing from this list that are
vulnerable to the same GLSA. Please remove those as well.
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-07-29 15:44:39 UTC 
@security, please review this one. It is SLOTTED and no vuln versions exist in the tree.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-07-29 16:13:14 UTC 
0.2.1 is vulnerable. There is no non-vulnerable version in that slot, but that version was not fixed against the PCRE issue as far as I see.

/var/tmp/portage/x11-libs/goffice-0.2.1/work/goffice-0.2.1 $ grep PCRE_ ./goffice/cut-n-paste/pcre/pcre.h | head -5
#ifndef _PCRE_H
#define _PCRE_H
#define PCRE_MAJOR          6
#define PCRE_MINOR          3
#define PCRE_DATE           15-Aug-2005
Comment 3 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-07-29 16:37:13 UTC 
Oh, I read the GLSA wrongly. Sorry. 

>= 0.6.1, revision >= 0.4.3 # 0.2.1 falls out of this range of unaffected versions.

I checked all the rdeps and nothing depends on SLOT=0.2. 2 months w/o maintainer's comment. removed.
Comment 4 Gilles Dartiguelongue (RETIRED) gentoo-dev 2009-07-30 07:11:12 UTC 
Actually you missed bug #253830. Reopening until I can drop abiword-2.4. It'd be nice to poke maintainer if there is no answer instead of going head first in the wall.
Comment 5 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-07-30 20:54:09 UTC 
(In reply to comment #4)
> Actually you missed bug #253830. Reopening until I can drop abiword-2.4. It'd
> be nice to poke maintainer if there is no answer instead of going head first in
> the wall.
> 

Please drop bsd support then. Keeping a vulnerable copy of goffice around because of bug 238225 (which will be approaching its 1 your anniversary soon) is not a good option.

As for my mistake about not knowing that bug #253830 was a problem..well, the dependancy is just plain wrong in abiword-plugins then. Please don't say that it will work with any version of goffice when in reality you mean that it will only work with one.

I'm willing to fix something here if you want. But just leaving bugs open, then complaining about someone fixing them when you don't comment on the bug is not ok in my book. Please comment on your bugs next time.
Comment 6 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2009-07-31 23:50:55 UTC 
This just works around the problem. Due to expressed concerns in IRC, we will take the "soft road" and just mask the USE flag that pulls in goffice. (It is an incorrect dep listing anyway, bug #253830)

--- package.use.mask    31 Jul 2009 20:47:50 -0000      1.81
+++ package.use.mask    31 Jul 2009 23:47:39 -0000

+# Jeremy Olexa <darkside@gentoo.org> (31 Jul 2009)
+# Mask the gnome USE flag globally for app-office/abiword-plugins-2.4.6 because
+# it depends on a GLSA affected atom. bug 271708
+=app-office/abiword-plugins-2.4.6 gnome