Hi, "Buffer overflow in the readImageData function in giftopnm.c in netpbm before 10.27 in netpbm before 10.27 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted GIF image, a similar issue to CVE-2006-4484." Actual latest stable ebuilds for all arches are fixed -> no glsa will be needed. This patch has been introduced in 10.27 but it was only been identified as a security issue (related to old CVE-2006-4484) a few days ago. for more information: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464056 https://issues.rpath.com/browse/RPL-2216
done.
thanks a lot Markus
will people stop "fixing" netpbm the old versions should not be removed, nor are they vuln if the glsa says "<10.27", then it's broken and needs to have a more exact version check added to it
If there is an error in one of the netpbm GLSAs, please post the fixes needed and I'll update the GLSA.
ive never actually played with the GLSA format so i cant post a diff while i dont know the first version in the 10.26.x series to be fixed, 10.26.49 for sure is not vuln
I've added 10.26.48 and 10.26.49 as unaffected on glsa-200508-04 and glsa-200510-18. Is there anything further to do here?
there are going to be more 10.26.x releases, so unless the glsa allows all 10.26.x where x is >= 49, people are going to keep screwing things up
(In reply to comment #7) > there are going to be more 10.26.x releases, so unless the glsa allows all > 10.26.x where x is >= 49, people are going to keep screwing things up > Unfortunately it doesn't, the only way would be to make sure that all the 10.26.x were unaffected... By the way, why do you need 10.26.x series so badly when 10.40.x and 10.41.x are out there?
they are different release series. one is the "stable" branch while the other is the "advanced and commonly broken" series. sounds like the glsa format needs updating.
> sounds like the glsa format needs updating. We've known that for a long time. To make that feasible we need someone to fix up glsa-check (and others). I guess noone have had the time to do so.
i've fixed this specific issue by correcting GLSA-200510-18. Of course this does not fix the global issue that GLSAs lack ranges.