Iniparser 4.1 fixes among other things invalid memory access: https://github.com/ndevilla/iniparser/issues/68 Please bump. Iniparser 4.0 is masked since 2015, but the package mask message doesn't indicate any problems: # Sebastian Pipping <sping@gentoo.org> (8 Aug 2015) # Upcoming, too young to go into testing unmasked There are also no open bugs. I'll cc sping as well. So I guess we can bump and unmask.
@Maintainers ping.
Hi! I have a vague memory that app-cdr/isomaster crashed with iniparser 4 but I could not find out why back then quickly enough. All reverse dependencies use dev-libs/iniparser:0 still. So if we update :4 to 4.1 now, the effect to installed applications will be zero. These applications depend on iniparser: - app-cdr/isomaster - app-portage/portage-utils - net-analyzer/nagios-sap-ccms-plugin - net-fs/samba - net-fs/smbtad One could team up to get all of these to :4 for a real effect.
PS: Are we sure that 3.1 is affected? I have asked that question upstream at https://github.com/ndevilla/iniparser/issues/68#issuecomment-373543560 now.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc65b297ed53567c1b41d8709db1bc91ac475a44 commit bc65b297ed53567c1b41d8709db1bc91ac475a44 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2018-03-27 23:31:45 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2018-03-27 23:51:59 +0000 dev-libs/iniparser: 4.1 + EAPI 6 Bug: https://bugs.gentoo.org/647588 Package-Manager: Portage-2.3.24, Repoman-2.3.6 dev-libs/iniparser/Manifest | 2 +- .../iniparser/files/iniparser-4.0-cflags.patch | 28 ----------------- .../iniparser/files/iniparser-4.0-soname.patch | 35 ---------------------- .../{iniparser-4.0.ebuild => iniparser-4.1.ebuild} | 24 +++++++-------- 4 files changed, 12 insertions(+), 77 deletions(-)}
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ec3a7ebc392b80d2398c410297b5410ec74dcc0 commit 7ec3a7ebc392b80d2398c410297b5410ec74dcc0 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2018-03-28 14:31:08 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2018-03-28 14:43:35 +0000 app-cdr/isomaster: 1.3.14 + EAPI 6 + xdg-utils First release using iniparser 4.x Bug: https://bugs.gentoo.org/647588 Package-Manager: Portage-2.3.24, Repoman-2.3.6 app-cdr/isomaster/Manifest | 1 + app-cdr/isomaster/isomaster-1.3.14.ebuild | 69 +++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6602fddda4bf33f54f28263ea6b5f571f04f1e0 commit b6602fddda4bf33f54f28263ea6b5f571f04f1e0 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2018-03-28 14:26:17 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2018-03-28 14:43:34 +0000 package.mask: Unmask dev-libs/iniparser:4 Bug: https://bugs.gentoo.org/647588 profiles/package.mask | 4 ---- 1 file changed, 4 deletions(-)}
(In reply to Sebastian Pipping from comment #3) > PS: Are we sure that 3.1 is affected? I have asked that question upstream > at https://github.com/ndevilla/iniparser/issues/68#issuecomment-373543560 > now. It had an answer [0] btw: >3.1 is affected, 2.17 is not. >But according to the webpage 2.17 is "For archeological purposes only" so I guess it's not recommended to use it. Patch: https://github.com/ndevilla/iniparser/commit/4f870752abbb756911d7b11405d49e9769d082bd Are we at a point where 3.1 can go, or apply the patch? [0] https://github.com/ndevilla/iniparser/issues/68#issuecomment-373903190
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8721763f5c744e8eca229edfe1afd52a77cf2842 commit 8721763f5c744e8eca229edfe1afd52a77cf2842 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2020-03-15 18:08:29 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2020-03-15 18:08:40 +0000 dev-libs/iniparser: Fix out-of-bounds read Bug: https://bugs.gentoo.org/647588 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-2.3.92, Repoman-2.3.20 .../files/iniparser-4.0-out-of-bounds-read.patch | 22 ++++++++++ dev-libs/iniparser/iniparser-3.1-r2.ebuild | 47 ++++++++++++++++++++++ 2 files changed, 69 insertions(+)
Thanks sping. Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
@maintainer(s): ping
ping. Are we ok to stabilise, or do other things need fixing first?
(In reply to Sam James (sec padawan) from comment #10) > ping. Are we ok to stabilise, or do other things need fixing first? I believe so, there are not other tickets open about iniparser. Adding arch teams… thanks in advance!
(In reply to Sebastian Pipping from comment #11) > (In reply to Sam James (sec padawan) from comment #10) > > ping. Are we ok to stabilise, or do other things need fixing first? > > I believe so, there are not other tickets open about iniparser. > > Adding arch teams… thanks in advance! Cool, thanks. :)
arm stable
ppc stable
s390 stable
sparc stable
ppc64 stable
arm64 stable
amd64 stable
x86 stable
@hppa...
GLSA Vote: Nein
hppa stable
@maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c866047493e6786ef2f89b796580674b739ee777 commit c866047493e6786ef2f89b796580674b739ee777 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-07-17 21:24:28 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-07-17 23:59:52 +0000 dev-libs/iniparser: security cleanup Bug: https://bugs.gentoo.org/647588 Package-Manager: Portage-2.3.103, Repoman-2.3.23 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/iniparser/iniparser-3.1-r1.ebuild | 46 ------------------------------ 1 file changed, 46 deletions(-)
Tree is clean, no GLSA, closing.