CVE-2017-1000203 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000203): ROOT version 6.9.03 and below is vulnerable to an authenticated shell metacharacter injection in the rootd daemon resulting in remote code execution
@Maintainers please call for stabilization when ready. Thank you
Thanks. New releases of ROOT 5.34, 6.10, and 6.12 will be out soon (early December). When that happens, I will bump the packages and cleanup old versions.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f3fff3e43dbf12f9b561b56d8530a21d5c4d4163 commit f3fff3e43dbf12f9b561b56d8530a21d5c4d4163 Author: Guilherme Amadio <amadio@gentoo.org> AuthorDate: 2018-07-05 09:27:18 +0000 Commit: Guilherme Amadio <amadio@gentoo.org> CommitDate: 2018-07-05 11:05:00 +0000 sci-physics/root: drop old Closes: https://bugs.gentoo.org/651000 Closes: https://bugs.gentoo.org/620754 Closes: https://bugs.gentoo.org/632128 Closes: https://bugs.gentoo.org/638422 Closes: https://bugs.gentoo.org/649992 Package-Manager: Portage-2.3.41, Repoman-2.3.9 sci-physics/root/Manifest | 1 - .../root/files/root-5.28.00b-glibc212.patch | 11 - sci-physics/root/files/root-5.32.00-cfitsio.patch | 13 - sci-physics/root/files/root-5.32.00-chklib64.patch | 24 -- sci-physics/root/files/root-5.32.00-dotfont.patch | 58 --- .../root/files/root-5.34.05-nobyte-compile.patch | 137 ------- sci-physics/root/files/root-5.34.13-unuran.patch | 40 -- sci-physics/root/files/root-5.34.26-ldflags.patch | 19 - sci-physics/root/metadata.xml | 3 - sci-physics/root/root-5.34.36.ebuild | 441 --------------------- 10 files changed, 747 deletions(-)
ROOT 5.34 is no longer in the tree. ROOT 6.12/06 has been available for a while, and was just bumped to 6.14/00, so no affected versions are in the tree anymore. Since no stable version is in the tree, I think this bug can now be closed. I've reopened to let the security team confirm before closing.
