Comment 1 Michael Weber (RETIRED) 2012-06-02 18:27:50 UTC

Arches, please go ahead (without 30 days delay)

Target alpha amd64 ppc ppc64 sparc x86

Thanks

Comment 2 Alex Legler (RETIRED) 2012-06-02 19:05:34 UTC

Arches, the package to stabilize is sys-power/nut-2.6.3.

Comment 3 Agostino Sarubbo 2012-06-02 22:14:27 UTC

amd64 stable

Comment 4 Michael Weber (RETIRED) 2012-06-03 16:16:40 UTC

ppc stable

Comment 5 Paweł Hajdan, Jr. (RETIRED) 2012-06-08 11:32:51 UTC

x86 stable

Comment 6 Raúl Porcel (RETIRED) 2012-06-09 19:07:14 UTC

alpha/sparc keywords dropped

The vulnerability exists in <sys-power/nut-2.6.4 (not 2.6.3 as it is written in the title of this bug).

The actual version now is sys-power/nut-2.6.5 (which contains another important fix which is not related to security: "any upssched.conf command that takes a second argument resulted in a defective frame sent to the parent process. Thus, the command was not executed").

(In reply to comment #7)
> The vulnerability exists in <sys-power/nut-2.6.4 (not 2.6.3)

Please ignore my previous comment. It's true that vulnerability is fixed in 2.6.4 upstream but the ebuild applies a patch to 2.6.3 in order to fix the vulnerability.

Comment 9 Kacper Kowalik (Xarthisius) (RETIRED) 2012-09-20 11:54:09 UTC

ppc64 stable, last arch done

Comment 10 GLSAMaker/CVETool Bot 2012-09-20 13:14:21 UTC

CVE-2012-2944 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2944):
  Buffer overflow in the addchar function in common/parseconf.c in upsd in
  Network UPS Tools (NUT) before 2.6.4 allows remote attackers to execute
  arbitrary code or cause a denial of service (electric-power outage) via a
  long string containing non-printable characters.

Comment 11 Sean Amoss (RETIRED) 2012-09-20 13:16:03 UTC

Thanks, everyone.

Filing a new GLSA request.

Comment 12 GLSAMaker/CVETool Bot 2012-09-27 20:13:50 UTC

This issue was resolved and addressed in
 GLSA 201209-19 at http://security.gentoo.org/glsa/glsa-201209-19.xml
by GLSA coordinator Sean Amoss (ackle).