589520 – sys-apps/tuxonice-userui: use of REPLACING_VERSIONS does not account for multiple values

Bug 589520 - sys-apps/tuxonice-userui: use of REPLACING_VERSIONS does not account for multiple values

Summary: sys-apps/tuxonice-userui: use of REPLACING_VERSIONS does not account for mult...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal QA (vote)
Assignee:	Arfrever Frehtes Taifersar Arahesis

URL:
Whiteboard:
Keywords:	QAcanfix

Depends on:
Blocks:	589444
	Show dependency tree

Reported:	2016-07-23 13:02 UTC by Michał Górny
Modified:	2016-11-19 06:40 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2016-07-23 13:02:34 UTC

See the tracker bug.

  if [[ ${REPLACING_VERSIONS} < 1.1 ]]; then

Doesn't account for >1 value in RV. Furthermore, uses lexicographical string comparison on numbers.

Comment 1 Arfrever Frehtes Taifersar Arahesis 2016-07-29 06:57:57 UTC

Old elog messages deleted.
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=105f1116a8bababc99cd1afb437c3df7b1df4ef1

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2016-11-19 05:14:33 UTC

CVE-2016-6354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6354):
  Heap-based buffer overflow in the yy_get_next_buffer function in Flex before
  2.6.1 might allow context-dependent attackers to cause a denial of service
  or possibly execute arbitrary code via vectors involving num_to_read.