Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 751094 - <dev-util/sccache-0.2.15: depends on vulnerable linked-hash-map crate
Summary: <dev-util/sccache-0.2.15: depends on vulnerable linked-hash-map crate
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://rustsec.org/advisories/RUSTSE...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-25 01:54 UTC by John Helmert III
Modified: 2021-07-24 06:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-25 01:54:08 UTC
See $URL for details. Maintainer(s), please advise if this package uses this package in a way that could trigger these vulnerabilities.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-10-25 02:00:23 UTC
Looks like the dependency is on 0.5.3 on master.
Comment 2 Georgy Yakovlev archtester gentoo-dev 2020-10-25 04:20:32 UTC
this needs investigation, however I think it's simpler just to patch the single line in existing crate/ebuild.
will do later.
Comment 3 Larry the Git Cow gentoo-dev 2021-02-25 23:47:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb7862c8eb684a4cf002f2ca861c19ddd1936786

commit eb7862c8eb684a4cf002f2ca861c19ddd1936786
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-02-25 23:45:31 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-02-25 23:46:52 +0000

    dev-util/sccache: bump to 0.2.15, ppc64 support
    
    Bug: https://bugs.gentoo.org/751094
    Bug: https://bugs.gentoo.org/766384
    Bug: https://bugs.gentoo.org/740878
    Bug: https://bugs.gentoo.org/711340
    Bug: https://bugs.gentoo.org/710202
    Closes: https://bugs.gentoo.org/750572
    Closes: https://bugs.gentoo.org/771843
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-util/sccache/Manifest              | 247 +++++++++++++++++
 dev-util/sccache/sccache-0.2.15.ebuild | 475 +++++++++++++++++++++++++++++++++
 2 files changed, 722 insertions(+)
Comment 4 Georgy Yakovlev archtester gentoo-dev 2021-02-25 23:49:45 UTC
can be closed as soon as 0.2.13 is gone from the tree, it does not even build nowadays and is not stable, but let's give it couple of days.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-26 00:09:46 UTC
(In reply to Georgy Yakovlev from comment #4)
> can be closed as soon as 0.2.13 is gone from the tree, it does not even
> build nowadays and is not stable, but let's give it couple of days.

Thanks!
Comment 6 Larry the Git Cow gentoo-dev 2021-07-24 06:09:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5bff254aaf27887ee76415a8964e390a0108636

commit b5bff254aaf27887ee76415a8964e390a0108636
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-07-24 06:08:57 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-07-24 06:08:57 +0000

    dev-util/sccache: drop 0.2.13
    
    Bug: https://bugs.gentoo.org/751094
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 dev-util/sccache/Manifest              | 186 ----------------
 dev-util/sccache/sccache-0.2.13.ebuild | 390 ---------------------------------
 2 files changed, 576 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-24 06:12:45 UTC
Thanks!