Berkeley DB reads the DB_CONFIG configuration file from the current working directory. Upstream has not released a fix yet, but Ubuntu have just released updated packages using a patch that Fedora is also using, and which upstream has apparently endorsed (see RedHat BZ comments). So I suggest Gentoo do the same? References: http://seclists.org/oss-sec/2017/q2/452 https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-10140.html https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch https://bugzilla.redhat.com/show_bug.cgi?id=1464032#c9
Just tested the Fedora patch (added an epatch line to the latest stable db-5.3.28-r2.ebuild) and saw that it was applied, which it did without error, and it built and installed fine. Haven't tested other versions.
(In reply to Eddie Chapman from comment #1) Thanks for the report Eddie, CCing maintainers to let them know about this. @Maintainers please confirm if we are affected,
Looks ok, but I'm worried about subtle breakage by consumers. I need to check if DB_HOME is set in those cases (openldap berkdb mostly).
(In reply to Robin Johnson from comment #3) > Looks ok, but I'm worried about subtle breakage by consumers. I need to > check if DB_HOME is set in those cases (openldap berkdb mostly). Thanks, please call for stabilization when a fixed version is available.
Maintainer(s): Ping.
