773475 – dev-util/premake:5: contains several *vulnerable* bundled libraries (curl, mbedtls, ...)

Bug 773475 - dev-util/premake:5: contains several *vulnerable* bundled libraries (curl, mbedtls, ...)

Summary: dev-util/premake:5: contains several *vulnerable* bundled libraries (curl, mb...

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	bundled-libs
	Show dependency tree

Reported:	2021-02-28 22:58 UTC by Sam James
Modified:	2024-05-26 11:54 UTC (History)
CC List:	7 users (show)

See Also:	https://github.com/premake/premake-core/issues/2156
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-02-28 22:58:08 UTC

Please see if we can unbundle the bundled libraries:
* net-misc/curl
* dev-libs/libzip
* dev-lang/lua
* luashim (not packaged?)
* net-libs/mbedtls
* sys-libs/zlib

See https://github.com/premake/premake-core/tree/master/contrib.

Comment 1 Michał Górny archtester

2024-05-25 08:13:12 UTC

FWICS, 5.0.0_beta2 has:

- curl-7.53.1 that is affected by vulnerabilities

- libzip-0.11.2 that is affected by vulnerabilities

- lua-5.3.5 that might be vulnerable (upstream CVEs are unclear)

- mbedtls-2.25.0 that is affected by vulnerabilities

- zlib-1.2.8 which is affected by vulnerabilities

FWICS luashim is their own library, so we don't need to worry about it.  The rest is swiss cheese.

Comment 2 Michał Górny archtester

2024-05-25 08:27:06 UTC

Upstream is aware at least of cURL vulnerability, and clearly doesn't care.

Comment 3 Hans de Graaff gentoo-dev

2024-05-26 08:15:30 UTC

I would be in favor of treecleaning this package. That would affect the following reverse dependencies:

games-rpg/openglad
games-strategy/0ad

Cc'ing their maintainer to get their point of view here.

Comment 4 Ionen Wolkens gentoo-dev

2024-05-26 10:13:39 UTC

(In reply to Hans de Graaff from comment #3)
> I would be in favor of treecleaning this package. That would affect the
> following reverse dependencies:
> 
> games-rpg/openglad
Tried and fixed up that one before, but kind of indifferent about it and hasn't received commits in 2 years that I can see. Can be treecleaned if it's needed imo.

> games-strategy/0ad
Never touched/tried it so I don't mind on a personal level, but losing it would still sound rather unfortunate. Has a very active upstream, is popular afaik, and one of its developer also hangs in #gentoo-games. Albeit it bundles spidermonkey (breaks too easily if use system's) and combined with premake it needs special attention (and still stuck on python3_10 until next release w/ newer spidermonkey, which unfortunately come rarely).

Sam knows it better though, so I'll defer.

Comment 5 Michał Górny archtester

2024-05-26 11:30:17 UTC

If we have a (potentially friendly) developer around, what's the chance of convincing them to use a sane build system?

Comment 6 Ionen Wolkens gentoo-dev

2024-05-26 11:54:14 UTC

Recall we asked over 2 years but wasn't open to the idea back end, not sure if that changed (forget the arguments).

That aside, I just remembered that 0ad also bundles premake. Being vulnerable wouldn't mean much if bundled version is only used with known files at build time and is never installed.

Comment 7 Ionen Wolkens gentoo-dev

2024-05-26 11:54:55 UTC

(In reply to Ionen Wolkens from comment #6)
> Recall we asked over 2 years but wasn't open to the idea back end, not sure
> if that changed (forget the arguments).
err, over 2 years ago, and back then*