See https://github.com/htacg/tidy-html5/issues/443 This is now fixed with the new release 5.4.0. Please bump.
Package has no stable ebuild. @ Maintainer(s): Please bump to >=app-text/tidy-html5-5.4.0!
Hanno, thanks for the report. Is there any evidence of how an attacker can do something about? For now I see: "no input at all is required to trigger it, just execute tidy with address sanitizer."
I think we can close here. No user input involved, but independent of that there are no stable versions of that package, so we need no further security handling.
Actually even with a non stable package, we need to make sure that the vulnerable version in three.. So please drop the vulnerable version.
Damn We need to make sure the vulnerable versions are removed from tree.
Cleanup PR: https://github.com/gentoo/gentoo/pull/4854
commit b217e7823d2981d8d6715c3c1d2e369b2560db38 (HEAD -> master, origin/master, origin/HEAD) Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: Mon Jun 5 00:41:47 2017 +0200 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Tue Jun 6 23:34:16 2017 +0200 app-text/tidy-html5: remove vulnerable version. Gentoo-Bug: https://bugs.gentoo.org/611424 Package-Manager: Portage-2.3.5, Repoman-2.3.2 Closes: https://github.com/gentoo/gentoo/pull/4854 app-text/tidy-html5/Manifest | 1 - app-text/tidy-html5/tidy-html5-5.2.0.ebuild | 21 --------------------- 2 files changed, 22 deletions(-) delete mode 100644 app-text/tidy-html5/tidy-html5-5.2.0.ebuild
Thanks Whissy for the PR! Security, please proceed.