Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 628322 - <app-misc/anki-2.0.47: version bump (security issue in .apkg imports from third party sources)
Summary: <app-misc/anki-2.0.47: version bump (security issue in .apkg imports from thi...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://anki.tenderapp.com/discussion...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-19 19:15 UTC by Gleb
Modified: 2017-12-26 18:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gleb 2017-08-19 19:15:43 UTC
"I have just released 2.0.47. It fixes an issue that could allow a specially crafted .apkg file to write files outside the media folder during import. AnkiWeb shared decks were not affected, but upgrading is strongly recommended if you import .apkg files from third party sources. A big thanks to David Bailey for discovering this issue." [1]

[1]: https://anki.tenderapp.com/discussions/announcements/122-security-issue-in-apkg-imports-from-third-party-sources-on-anki-2047
Comment 1 Patrick Lauer gentoo-dev 2017-09-23 06:32:02 UTC
Done.
Comment 2 Patrick Lauer gentoo-dev 2017-09-23 06:32:47 UTC
Silly me, don't close bugs with security@ in CC
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-23 14:09:26 UTC
Thank you Patrick, could you please confirm if prior versions are affected? If that's the case please call for stabilization or let us know.

Gentoo Security Padawan
ChrisADR
Comment 4 Gleb 2017-12-26 17:16:01 UTC
this outdated version was removed from the tree some time ago. it appears now that this report is obsolete, so the ticket can be closed.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-26 18:43:38 UTC
Affected ebuilds were removed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c256849563d19e023385ef4cf9f55a550815359a

Stable version removed via bug 639354.

GLSA Vote: No.

Repository is clean, all done.