Description and patch from Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=2082179 https://src.fedoraproject.org/rpms/supertux/blob/rawhide/f/supertux-0.6.3-squirrel-CVE-2022-30292.patch Thanks
Thanks! If supertux is bundling squirrel, we should also try to unbundle it.
Thanks for taking upstream. Any idea about impact?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=866ce00a7cae59ca2c77650addabc3128127ecb8 commit 866ce00a7cae59ca2c77650addabc3128127ecb8 Author: Pacho Ramos <pacho@gentoo.org> AuthorDate: 2022-12-04 14:47:55 +0000 Commit: Pacho Ramos <pacho@gentoo.org> CommitDate: 2022-12-04 14:49:22 +0000 games-arcade/supertux: Fix CVE-2022-30292 For 0.6.3 we need to patch the bundled squirrel copy, in next upstream versions it should be possible to finally build it against system copy. Bug: https://bugs.gentoo.org/843008 Signed-off-by: Pacho Ramos <pacho@gentoo.org> .../supertux-0.6.3-squirrel-CVE-2022-30292.patch | 21 ++++++++ games-arcade/supertux/supertux-0.6.3-r1.ebuild | 63 ++++++++++++++++++++++ 2 files changed, 84 insertions(+)
What of CVE-2021-41556?
I don't know why they didn't fix it in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=2112798 I will try to backport it too
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6975aded48ce0b855445ead7203905795daee608 commit 6975aded48ce0b855445ead7203905795daee608 Author: Pacho Ramos <pacho@gentoo.org> AuthorDate: 2022-12-04 21:16:56 +0000 Commit: Pacho Ramos <pacho@gentoo.org> CommitDate: 2022-12-04 21:23:20 +0000 games-arcade/supertux: Fix CVE-2021-41556 Bug: https://bugs.gentoo.org/843008 Signed-off-by: Pacho Ramos <pacho@gentoo.org> .../supertux-0.6.3-squirrel-CVE-2021-41556.patch | 36 ++++++++++++ games-arcade/supertux/supertux-0.6.3-r2.ebuild | 64 ++++++++++++++++++++++ 2 files changed, 100 insertions(+)
Thanks! Please cleanup when ready
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f5bed3ec8d0b10218ba7b8257c73fd30769faa5 commit 6f5bed3ec8d0b10218ba7b8257c73fd30769faa5 Author: Pacho Ramos <pacho@gentoo.org> AuthorDate: 2022-12-10 15:06:24 +0000 Commit: Pacho Ramos <pacho@gentoo.org> CommitDate: 2022-12-10 15:09:28 +0000 games-arcade/supertux: drop 0.6.3 Bug: https://bugs.gentoo.org/843008 Signed-off-by: Pacho Ramos <pacho@gentoo.org> games-arcade/supertux/supertux-0.6.3.ebuild | 62 ----------------------------- 1 file changed, 62 deletions(-)
Ah, right, no stable versions. All done, thanks!
