Please remove the following ebuilds as they are vulnerable to GLSA 200801-19 ( http://www.gentoo.org/security/en/glsa/glsa-200801-19.xml ) : =x11-libs/goffice-0.2.1 Note that other (unstable) atoms might be missing from this list that are vulnerable to the same GLSA. Please remove those as well.
@security, please review this one. It is SLOTTED and no vuln versions exist in the tree.
0.2.1 is vulnerable. There is no non-vulnerable version in that slot, but that version was not fixed against the PCRE issue as far as I see. /var/tmp/portage/x11-libs/goffice-0.2.1/work/goffice-0.2.1 $ grep PCRE_ ./goffice/cut-n-paste/pcre/pcre.h | head -5 #ifndef _PCRE_H #define _PCRE_H #define PCRE_MAJOR 6 #define PCRE_MINOR 3 #define PCRE_DATE 15-Aug-2005
Oh, I read the GLSA wrongly. Sorry. >= 0.6.1, revision >= 0.4.3 # 0.2.1 falls out of this range of unaffected versions. I checked all the rdeps and nothing depends on SLOT=0.2. 2 months w/o maintainer's comment. removed.
Actually you missed bug #253830. Reopening until I can drop abiword-2.4. It'd be nice to poke maintainer if there is no answer instead of going head first in the wall.
(In reply to comment #4) > Actually you missed bug #253830. Reopening until I can drop abiword-2.4. It'd > be nice to poke maintainer if there is no answer instead of going head first in > the wall. > Please drop bsd support then. Keeping a vulnerable copy of goffice around because of bug 238225 (which will be approaching its 1 your anniversary soon) is not a good option. As for my mistake about not knowing that bug #253830 was a problem..well, the dependancy is just plain wrong in abiword-plugins then. Please don't say that it will work with any version of goffice when in reality you mean that it will only work with one. I'm willing to fix something here if you want. But just leaving bugs open, then complaining about someone fixing them when you don't comment on the bug is not ok in my book. Please comment on your bugs next time.
This just works around the problem. Due to expressed concerns in IRC, we will take the "soft road" and just mask the USE flag that pulls in goffice. (It is an incorrect dep listing anyway, bug #253830) --- package.use.mask 31 Jul 2009 20:47:50 -0000 1.81 +++ package.use.mask 31 Jul 2009 23:47:39 -0000 +# Jeremy Olexa <darkside@gentoo.org> (31 Jul 2009) +# Mask the gnome USE flag globally for app-office/abiword-plugins-2.4.6 because +# it depends on a GLSA affected atom. bug 271708 +=app-office/abiword-plugins-2.4.6 gnome