Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 548746 - <dev-db/virtuoso-{odbc,server}-6.1.8: multiple vulnerabilities
Summary: <dev-db/virtuoso-{odbc,server}-6.1.8: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-06 08:36 UTC by Agostino Sarubbo
Modified: 2017-09-24 21:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-06 08:36:06 UTC
From ${URL} :

A long time ago, we looked at the low-level data marshaling code in the
database server, and found quite a few memory safety issues.  We also
encountered server crashes and problems which looked like race
conditions, affecting server stability.

KDE uses a private UNIX domain socket to communicate with a
user-specific database server, but the database server can be accessed
over TCP as well.

Upstream did not release a security advisory, but alluded to the fixes
in release announcement:

<http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VOSNews#Client%20RPC>

And in commit messages:

<https://github.com/openlink/virtuoso-opensource/commits/develop/6/libsrc/Dk>

We have not assigned CVE identifiers because the number of different
crashes we saw was fairly large, and we could not completely understand
how the RPC implementation is pieced together.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2015-05-07 23:09:01 UTC
Best I can do here is stable 6.1.8, since it at least got some of those fixes--we cannot move to 7 since upstream completely dropped non-amd64 support.

Arches, please stabilize:
=dev-db/virtuoso-odbc-6.1.8
=dev-db/virtuoso-server-6.1.8
Target arches: amd64 ppc ppc64 x86
Comment 2 Agostino Sarubbo gentoo-dev 2015-05-08 08:09:31 UTC
(In reply to Chris Reffett from comment #1)
> Best I can do here is stable 6.1.8, since it at least got some of those
> fixes--we cannot move to 7 since upstream completely dropped non-amd64
> support.

This bug affects also EPEL6 (https://bugzilla.redhat.com/show_bug.cgi?id=1219016)
They runs 6.1.6 and I guess they will backport the security fixes. Do we want to give them an opportunity?
Comment 3 Chris Reffett (RETIRED) gentoo-dev Security 2015-05-08 13:21:36 UTC
Sure.
Comment 4 Michael Palimaka (kensington) gentoo-dev 2015-08-19 15:36:44 UTC
This package has been masked for removal.
Comment 6 Manuel Rüger (RETIRED) gentoo-dev 2015-09-17 14:02:21 UTC
Please do not close security bugs.
Comment 7 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-24 21:36:15 UTC
New GLSA Request filed.

Gentoo Security Padawan
ChrisADR
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2017-09-24 21:37:08 UTC
Very vague reports.  Downgrading to B3 as no PoC for ACE/RCE.
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2017-09-24 21:41:09 UTC
NO CVE as per:
______________________________
We have not assigned CVE identifiers because the number of different
crashes we saw was fairly large, and we could not completely understand
how the RPC implementation is pieced together.
______________________________