Comment 1 Agostino Sarubbo 2016-10-27 08:20:24 UTC

There is also:


* NULL pointer derreference

Bug report: https://bugs.chromium.org/p/webp/issues/detail?id=310 (private)

Fix:
https://chromium.googlesource.com/webm/libwebp/+/806f6279aef4de8deca01c8e727db4a508716e95


which did not receive a CVE but would be great to have the fix in the tree.

Comment 2 Thomas Deutschmann (RETIRED) 2017-01-09 23:04:29 UTC

Fixed via https://github.com/webmproject/libwebp/commit/bb23361 and https://github.com/webmproject/libwebp/commit/883d41f


@ Maintainer(s): Can we start stabilization of =media-libs/libwebp-0.5.2?

Comment 3 Mike Gilbert 2017-01-09 23:14:36 UTC

No objection from me.

Comment 4 Thomas Deutschmann (RETIRED) 2017-01-10 00:04:27 UTC

@ Arches,

please test and mark stable: =media-libs/libwebp-0.5.2

Comment 5 Aaron Bauman (RETIRED) 2017-01-10 12:35:40 UTC

amd64 stable

Comment 6 Agostino Sarubbo 2017-01-10 15:23:56 UTC

x86 stable

Comment 7 Agostino Sarubbo 2017-01-11 10:49:50 UTC

sparc stable

Comment 8 Jeroen Roovers (RETIRED) 2017-01-12 13:58:07 UTC

(In reply to Mike Gilbert from comment #3)
> No objection from me.

You checked for open bugs against the package?

Comment 9 Markus Meier 2017-01-13 16:55:46 UTC

arm stable

Comment 10 Jeroen Roovers (RETIRED) 2017-01-15 00:36:41 UTC

Stable for HPPA.

Comment 11 Mike Gilbert 2017-01-15 00:43:08 UTC

(In reply to Jeroen Roovers from comment #8)
> You checked for open bugs against the package?

Yes, and I saw an unconfirmed bug report for an issue that only occurs with stupid CFLAGS.

Comment 12 Jeroen Roovers (RETIRED) 2017-01-15 12:01:15 UTC

(In reply to Mike Gilbert from comment #11)
> (In reply to Jeroen Roovers from comment #8)
> > You checked for open bugs against the package?
> 
> Yes, and I saw an unconfirmed bug report for an issue that only occurs with
> stupid CFLAGS.

1. It's unconfirmed so it needed further investigation, which could easily be
   done by using the CFLAGS from the bug report to reproduce the issue.
2. Since the fix was to employ some configure flags that were helpfully put in
   place upstream already, upstream apparently don't regard them as "stupid"
   like you do.
3. I can CC and un-CC myself. You don't need to do anything. Please don't.

Comment 13 Agostino Sarubbo 2017-01-15 16:01:47 UTC

ppc stable

Comment 14 Mike Gilbert 2017-01-15 17:00:18 UTC

(In reply to Jeroen Roovers from comment #12)

Sorry for my flippant response.

> I can CC and un-CC myself. You don't need to do anything. Please don't.

I copied you so that you would see my response, that's all.

Comment 15 Tobias Klausmann (RETIRED) 2017-01-15 22:20:54 UTC

Stable on alpha.

Comment 16 Agostino Sarubbo 2017-01-17 14:37:36 UTC

ia64 stable

Comment 17 Agostino Sarubbo 2017-01-18 10:05:21 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 18 Aaron Bauman (RETIRED) 2017-01-19 08:49:43 UTC

GLSA request filed.

Comment 19 GLSAMaker/CVETool Bot 2017-01-24 11:07:19 UTC

This issue was resolved and addressed in
 GLSA 201701-61 at https://security.gentoo.org/glsa/201701-61
by GLSA coordinator Aaron Bauman (b-man).

Comment 20 Aaron Bauman (RETIRED) 2017-01-24 11:08:21 UTC

re-opened for cleanup

Comment 21 Yury German 2017-05-27 00:10:10 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 22 Mike Gilbert 2017-05-27 02:30:59 UTC

Done.

Comment 23 Thomas Deutschmann (RETIRED) 2017-05-27 09:20:33 UTC

Repository is clean, all done.

@ Arches and Maintainer(s): Thank you for your work.