Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 120224 - dev-lisp/clisp-2.38 fixes security issue
Summary: dev-lisp/clisp-2.38 fixes security issue
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ? [noglsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2006-01-24 14:50 UTC by Carsten Lohrke (RETIRED)
Modified: 2006-02-11 11:37 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-01-24 14:50:42 UTC 
The following freshmeat information:

A security issue in the SYSLOG interface (POSIX module) and an OPEN/:APPEND regression have been fixed. SAVEINITMEM can create standalone executables. 

and the ChangeLog:

* POSIX:SYSLOG no longer recognizes "%m" and other formatting instructions.
  For your safety and security, please do all formatting in Lisp.

are unfortunately both not specific about the vulnerability.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-24 14:59:12 UTC 
please provide fixed ebuilds, thx
Comment 2 Matthew Kennedy (RETIRED) gentoo-dev 2006-01-25 13:51:17 UTC 
I just committed a new ebuild for clisp-2.38. Will we be issuing a GLSA?  I think the security issue at hand is an unsafe function in CLISP POSIX package, so my feeling is it is not necessary...
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-25 14:01:58 UTC 
ppc and x86, please mark stable.

Regarding a GLSA, I'm  not sure yet - I guess there will be a vote to decide that after arches marked stable.
Comment 4 Mark Loeser (RETIRED) gentoo-dev 2006-01-27 17:17:17 UTC 
x86 done
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2006-01-28 02:41:47 UTC 
ppc stable
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-28 06:29:18 UTC 
lets have a glsa vote. perl had something similar and we issued a glsa back then. Though i'd say no, C also has unsafe formatted printing functions and nobody would "fix" them...
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-02-06 12:26:46 UTC 
I tend to vote YES.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-02-07 10:19:18 UTC 
I tend to vote no...
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2006-02-11 11:37:50 UTC 
This is not really a security issue. It's a security improvement, that removes some POSIX compatibility functions that would be unsafe if improperly used.

Correcting to full NO and closing, feel free to reopen if you disagree.