Comment 1 Thomas Deutschmann (RETIRED) 2017-03-02 18:36:29 UTC

Package has no stable ebuild.

@ Maintainer(s): Please bump to >=app-text/tidy-html5-5.4.0!

Comment 2 Agostino Sarubbo 2017-03-03 08:23:45 UTC

Hanno, thanks for the report. Is there any evidence of how an attacker can do something about?

For now I see:
"no input at all is required to trigger it, just execute tidy with address sanitizer."

Comment 3 Hanno Böck 2017-05-03 22:40:49 UTC

I think we can close here. No user input involved, but independent of that there are no stable versions of that package, so we need no further security handling.

Comment 4 Yury German 2017-05-03 23:53:09 UTC

Actually even with a non stable package, we need to make sure that the vulnerable version in three..

So please drop the vulnerable version.

Comment 5 Yury German 2017-05-03 23:55:48 UTC

Damn 
We need to make sure the vulnerable versions are removed from tree.

Comment 6 Thomas Deutschmann (RETIRED) 2017-06-04 22:42:59 UTC

Cleanup PR: https://github.com/gentoo/gentoo/pull/4854

Comment 7 Patrice Clement 2017-06-06 21:35:09 UTC

commit b217e7823d2981d8d6715c3c1d2e369b2560db38 (HEAD -> master, origin/master, origin/HEAD)
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: Mon Jun 5 00:41:47 2017 +0200
Commit:     Patrice Clement <monsieurp@gentoo.org>
CommitDate: Tue Jun 6 23:34:16 2017 +0200

app-text/tidy-html5: remove vulnerable version.

Gentoo-Bug: https://bugs.gentoo.org/611424

Package-Manager: Portage-2.3.5, Repoman-2.3.2
Closes: https://github.com/gentoo/gentoo/pull/4854

app-text/tidy-html5/Manifest                |  1 -
app-text/tidy-html5/tidy-html5-5.2.0.ebuild | 21 ---------------------
2 files changed, 22 deletions(-)
delete mode 100644 app-text/tidy-html5/tidy-html5-5.2.0.ebuild

Comment 8 Patrice Clement 2017-06-06 21:35:59 UTC

Thanks Whissy for the PR!

Security, please proceed.