Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 156573 - app-text/evince bundles vulnerable gv?
Summary: app-text/evince bundles vulnerable gv?
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: B2 [glsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-28 21:57 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2007-04-06 23:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Proposed patch, based on the gv patch. for version 0.6.1 (overflow.patch,703 bytes, patch)
2006-11-29 03:33 UTC, Stefan Cornelius (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-28 21:57:08 UTC
Seems like evince is affected by GLSA 200611-20. Any other packages bundling gv?
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-29 03:31:59 UTC
confirmed that it is possible to overwrite the EIP. I'll attach a patch that fixed the problem for me. somebody should doubletest, just to make sure that i didnt mess up.there is another app called "ggv" that might bundle gv code, but not checked yet.
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2006-11-29 03:33:44 UTC
Created attachment 102972 [details, diff]
Proposed patch, based on the gv patch. for version 0.6.1
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-12-01 01:35:16 UTC
upstream patch:

http://cvs.gnome.org/viewcvs/evince/ps/ps.c?r1=1.6&r2=1.6.6.1&makepatch=1&diff_format=h
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-25 10:56:36 UTC
Gnome please advise.
Comment 5 Daniel Gryniewicz (RETIRED) gentoo-dev 2007-03-26 19:58:08 UTC
Okay, I've added 0.6.1-rc3 to the tree with this fix.

Arches:  Literally the only change was to the postscript backend.  You should only need to test .ps files.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-27 06:31:08 UTC
Thx Daniel.

Arches please test and mark stable. Target keywords are:

evince-0.6.1-r3.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2007-03-27 07:01:07 UTC
x86 stable
Comment 8 Gustavo Zacarias (RETIRED) gentoo-dev 2007-03-27 13:49:29 UTC
sparc stable.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2007-03-27 14:43:11 UTC
Stable for HPPA.
Comment 10 Chris Gianelloni (RETIRED) gentoo-dev 2007-03-27 18:39:10 UTC
alpha/amd64/ia64 done
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2007-03-27 19:07:33 UTC
ppc stable
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2007-03-29 14:45:31 UTC
ppc64 stable
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-06 23:22:19 UTC
GLSA 200704-06, thanks to everybody