Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 554262 - <app-text/htmldoc-1.8.29: Multiple buffer overflows
Summary: <app-text/htmldoc-1.8.29: Multiple buffer overflows
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.msweet.org/blog.php?L52+Z1
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-08 19:40 UTC by Hanno Böck
Modified: 2017-01-19 10:40 UTC (History)
0 users

See Also:
Package list:
=app-text/htmldoc-1.8.29
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2015-07-08 19:40:21 UTC 
The upstream changelog for 1.8.28 says:
SECURITY: Fixed three buffer overflow issues when reading AFM files and parsing page sizes.

The ebuild already contains a patch for an overflow, but as the changelog talks about three I assume this doesn't cover all of them.

htmldoc is currently maintainer-needed.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-02-15 10:57:14 UTC 
No corresponding CVE's.  Package may need to be considered for tree cleaning as well if it remains maintainer-needed.
Comment 2 Hanno Böck gentoo-dev 2016-04-16 14:30:30 UTC 
htmldoc 1.8.29 was committed to the tree.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 19:25:50 UTC 
@ Arches,

please test and mark stable: =app-text/htmldoc-1.8.29
Comment 4 Agostino Sarubbo gentoo-dev 2016-12-01 12:51:53 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-01 12:54:33 UTC 
x86 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-02 14:21:47 UTC 
Stable on alpha.
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-11 10:38:22 UTC 
sparc stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 12:48:07 UTC 
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-15 15:51:58 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-17 14:26:37 UTC 
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-18 10:04:20 UTC 
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-01-19 10:40:32 UTC 
No PoC for ACE/RCE, downgraded to B3.

GLSA Vote: No

Tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5734ce51ae989c6d907f680ede2a6e9dca75f585