Details at $URL. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I can't really see any issues with the claimed reproducers: before and after is the same: $ csslint-0.6 00267-libcroco-heapoverflow-cr_input_read_byte parsing error: 1:0:could not recognize next production $ csslint-0.6 00268-libcroco-outside-long parsing error: 1:0:could not recognize next production parsing error: 1:2:while parsing rulset: current char should be '{' Otherwise grabbed the relevant parts of the patches into dev-libs/libcroco-0.6.12-r1; please stabilize
CVE ID: CVE-2017-7960 Summary: The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 and 0.6.12 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted CSS file. Published: 2017-04-19T15:59:00.000Z
(In reply to Mart Raudsepp from comment #1) > I can't really see any issues with the claimed reproducers: > > before and after is the same: Hello, did you compile it with -fsanitize=undefined ?
amd64 stable
(In reply to Agostino Sarubbo from comment #3) > Hello, did you compile it with -fsanitize=undefined ? No, I was testing what actual users see and the $URL didn't mention it
Stable for HPPA.
Reverting unauthorized package list modification by non-maintainer
x86 stable
sparc stable
Stable on alpha.
ppc ppc64 stable.
arm stable
(In reply to Mart Raudsepp from comment #5) > No, I was testing what actual users see and the $URL didn't mention it I thought it was a bit obvious. Anyway, as a dependency of a package classified as A, this is A too.
Remaining arches are not part of security supported architectures, proceeding with security. Arches please stabilize as soon as possible to secure package. New GLSA Request filed.
ia64 still waiting on stabilization, about to push the release of GLSA.
ia64 stable. Maintainer(s), please cleanup.
This issue was resolved and addressed in GLSA 201707-13 at https://security.gentoo.org/glsa/201707-13 by GLSA coordinator Thomas Deutschmann (whissi).