See URL for a very detailed description. Reproducible: Always Steps to Reproduce:
This is ugly.. systrace is masked ~x86 and it's still at version 1.0 in portage, version 1.5 was released on 2004-01-26 according to systrace.org.. Should the claims of the publisher of the email be true (the part in the "executive summary", specifically), and seeing that it's still version 1.0 (and obviously not widely used since it's still marked ~), it should be removed from portage all together.
I'd opt for removal/masking.. We lost the maintainer (natey) some time ago and nobody has even requested anything in regards to systrace in many months, not even a version bump that I'm aware of..
I did find one thing in portage which has never been resolved. http://bugs.gentoo.org/show_bug.cgi?id=35896
hardened no longer supports systrace because of other issues like this one, If noone says otherwise i'll remove it from portage in 24 hours
CCing x86-kernel so that they know to remove systrace from gentoo-sources
sys-apps/systrace and sys-apps/gtk-systrace removed from portage gentoo-sources still needs to remove systrace from kernels i don't see evidence that systrace is applied to any other kernels
gentoo-sources devs, since gentoo-sources is the most used kernel (probably) and we have no way of telling who might have enabled systrace support even unknowingly do you think it's a good idea to release a GLSA?
x86-kernel is maintaining gentoo-sources now. afaic, all 2.4.22-gentoo kernels can be removed from portage. I'm sure plasmaroo won't disagree.
Since it is patched upstream in 2.4.25 and 2.4.25 is stable; no, I don't really see the point of a GLSA.
Changing product to GLSA for discussion on how appropriate a GLSA is on the subject.
As the vulnerable part of systrace was in the kernel, and the kernels haven't had systrace patches for quite some time I agree with tim and brian about the non-necessity of a glsa
Closing without GLSA, as systrace is no longer supported. -K
*** Bug 48080 has been marked as a duplicate of this bug. ***
