CVE-2011-4000 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4000): Buffer overflow in ChaSen 2.4.x allows remote attackers to execute arbitrary code via a crafted string. JPCERT Advisory at https://jvn.jp/jp/JVN16901583/index.html.
http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000099.html > Solution > > [Do not use ChaSen] > According to the developer, there are no plans for ChaSen to be updated or maintained. Therefore, it is recommended to consider using a different product that provides similar functionality. > > [Apply a workaround] > According to the developer, this vulnerability occurred when adding functionality to the ChaSen 2.4 series. > For software developers that would like to continue using ChaSen, applying the following workaround will mitigate the effects of this vulnerability. > > * Use ChaSen version 2.3.3 Upstream won't release the fix... I'm thinking to remove the package. <naota> !ddep chasen [17:03] <willikins> naota: Reverse DEPEND for app-text/chasen: app-dicts/ipadic-2.7.0 app-dicts/ipadic-2.7.0-r1 app-dicts/ipadic-2.7.0-r2 app-text/namazu-2.0.18:chasen app-text/namazu-2.0.19:linguas_ja app-text/namazu-2.0.19-r1:linguas_ja app-text/namazu-2.0.20:linguas_ja app-text/namazu-2.0.21:linguas_ja dev-ruby/ruby-chasen-1.7-r1 <naota> !rdep chasen <willikins> naota: Reverse RDEPEND for app-text/chasen: app-dicts/ipadic-2.7.0 app-text/namazu-2.0.18:chasen app-text/namazu-2.0.19:linguas_ja app-text/namazu-2.0.19-r1:linguas_ja app-text/namazu-2.0.20:linguas_ja app-text/namazu-2.0.21:linguas_ja dev-ruby/ruby-chasen-1.7-r1 namazu works without chasen (chasen is optional dependency, namazu work with kakashi or mecab) Need to drop - chasen - ipadic - ruby-chasen
(In reply to comment #1) > > Upstream won't release the fix... I'm thinking to remove the package. > ... > Need to drop > - chasen > - ipadic > - ruby-chasen This sounds like a reasonable approach to me. Do you mind doing it?
Masked for removale. +# Naohiro Aota <naota@gentoo.org> (24 Nov 2011) +# Masked for removal in 30 days +# due to end of support (upstream) and +# security issue: bug 390769 +app-text/chasen +app-dicts/ipadic +dev-ruby/ruby-chasen
I'm not quite sure, but it seems http://git.sourceforge.jp/view?p=chasen-legacy/chasen.git;a=commitdiff;h=05f4be730e9e672bfeae867d9f23055aa3e72ee1 is supposed to be the fix. Though that doesn't change "end of support" part.
(In reply to comment #4) > I'm not quite sure, but it seems > http://git.sourceforge.jp/view?p=chasen-legacy/chasen.git;a=commitdiff;h=05f4be730e9e672bfeae867d9f23055aa3e72ee1 > is supposed to be the fix. > > Though that doesn't change "end of support" part. It is pushed by chasen package maintainer @ Debian. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648359 I'm not sure either. Does it seem to be reviwed now?
patch (chasen244-secfix.diff) has been released officaily. http://sourceforge.jp/projects/chasen-legacy/releases/?package_id=5861 # same as http://git.sourceforge.jp/view?p=chasen-legacy/chasen.git;a=commitdiff;h=05f4be730e9e672bfeae867d9f23055aa3e72ee1 but it is not changed "end of support" situation as Rafał said probably..
Added the security fix. Could you test the package? I'll drop the mask then.
Any updates here? mask entry still tells people this is masked for removal in 30 days...
(In reply to comment #8) > Any updates here? mask entry still tells people this is masked for removal > in 30 days... The security fixed version seems fine. I've dropped the mask.
it's time to arch tests?
(In reply to comment #9) > > The security fixed version seems fine. I've dropped the mask. packages.g.o is still showing this masked, although I am not sure why, I don't see the mask locally. (In reply to comment #10) > it's time to arch tests? Yes, please. Arches, please test and mark stable: =app-text/chasen-2.4.4-r2 Target keywords : "amd64 ppc ppc64 sparc x86"
(In reply to comment #6) > but it is not changed "end of support" situation as Rafał said probably.. quote from http://jvn.jp/en/jp/JVN16901583/index.html : > ChaSen legacy project has inherited development of ChaSen since 11/8/2011. @Maintainer, Please care about Bug 411297 I filed.
x86 stable.
ppc done
amd64 stable
moved to ~ppc64, thus we are done
sparc keywords dropped
Thanks, folks. Already in GLSA request.
This issue was resolved and addressed in GLSA 201207-03 at http://security.gentoo.org/glsa/glsa-201207-03.xml by GLSA coordinator Sean Amoss (ackle).
