CVE-2009-2369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2369): Integer overflow in the wxImage::Create function in src/common/image.cpp in wxWidgets 2.8.10 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted JPEG file, which triggers a heap-based buffer overflow. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
upstream bug: http://trac.wxwidgets.org/ticket/10993
Created attachment 198446 [details, diff] wxGTK-2.8.10.1-CVE-2009-2369.patch
Fixed in 2.8.10.1-r1.
Arches, please test and mark stable: =x11-libs/wxGTK-2.8.10.1-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Ryan, what about the 2.6 slot? The patch applies there as well (with fuzz).
Stable on alpha.
ppc stable
oops, also fixed in 2.6.4.0-r5. alpha and ppc, can you stabilize that version as well?
x86 stable
(In reply to comment #8) > oops, also fixed in 2.6.4.0-r5. alpha and ppc, can you stabilize that version > as well? Stable on alpha.
I've marked 2.6.4.0-r5 and 10.1-r1 stable for sparc. But I *think* we're really using wxGTK-2.8.10.1-r1. I guess this thing is slotted, but it is not clear from the request here what you want. Thus, I'm not removing the CC. I don't know what you are asking for. I've marked stable versions which seem to work.
Stable for HPPA.
arm/ia64/sh stable
Ferris: there are two slots. stabilize the latest version in each.
it looks like there was an 2.8.10.1-r2 ebuild added by jokey a couple days ago. i just removed it, so please ignore it if you see it. sorry for the confusion.
(In reply to comment #15) > it looks like there was an 2.8.10.1-r2 ebuild added by jokey a couple days ago. > i just removed it, so please ignore it if you see it. sorry for the > confusion. Please rebuild the manifest as well, 2.8.10.1-r2 is still in there (as of revision 1.291). And a note in the ChangeLog (which mentions the addition of -r2) about the removal and its reasons would have been nice.
ppc64 done on both
amd64 stable for both
sparc is done. 2.8.10 is good to go. ppc needs to stabilize 2.6.4.0-r5.
Removing ppc as it has been stabilized by nixut. Bug is ready to be fixed by security team.
B2 -> GLSA request filed.
GLSA 201009-01