CVE-2009-4274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4274): Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm before 10.47.07 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an XPM image file that contains a crafted header field associated with a large color index value.
The newest ebuild in tree is still vulnerable, CVE versioning is wrong: http://netpbm.svn.sourceforge.net/viewvc/netpbm/stable/converter/ppm/xpmtoppm.c?view=patch&r1=995&r2=1076&pathrev=1076 Please provide an patched ebuild or bump to a newer version.
netpbm-10.49.00 now in the tree
Cannot build netpbm-10.49.00 on Gentoo/FreeBSD because of using undefined signal SIGPWR. Upstream trunk already fix this problem. Here is a patch. http://netpbm.svn.sourceforge.net/viewvc/netpbm/trunk/lib/libsystem.c?r1=1129&r2=1149&view=patch I've confirmed that appling this patch make it possible to emerge netpbm-10.49.00 on Gentoo/FreeBSD.
new issues -> new bugs
10.49.00 is stable now ...
GLSA request filed.
From Bryan Henderson <bryanh@giraffe-data.com> I got an update related to version 10.49 (segault in libc) : Thanks for the report. There was a bug with that symptom fixed in Release 10.50 (March 2010), and I can't reproduce the problem in current code. v 10.51-r1 emerged here at an almost stable 32bit x86 Gentoo w/o problems.
This issue was resolved and addressed in GLSA 201311-08 at http://security.gentoo.org/glsa/glsa-201311-08.xml by GLSA coordinator Sean Amoss (ackle).