More info on Sourceforge: http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714 https://sourceforge.net/tracker/index.php?func=detail&aid=1160134&group_id=3714&atid=303714
We do not have the mentioned vulnerable 3.1.2 version in our tree anymore.
someone responded to the bug and confirmed this in 3.2.0 as well. CC'ing sound since this is their baby.
a 3.3.0 ebuild and the patch from sourceforge are now in tree
The added patch was not confirmed by upstream, and is not included in their latest release 3.3.0. Although this vulnerability is highly unlikely to cause any trouble, the patch looks harmless to me, so I have no objection for keeping it in the tree. Security/Audit Team, opinions?
Looks alright to me... Arches, please test and mark grip-3.3.0 stable
stable on ppc64
Stable on ppc.
sparc stable.
stable on amd64 and x86
Stable on alpha.
GLSA 200503-21
what about the vulnerable versions in the tree, 3.2.0 and 3.2.0-r1 ? shouldn't somebody remove them?
Vulnerable versions are removed.
Is it really appropriate to replace Grip 3.2.0 (the officially released version) with Grip 3.3.0 (an unstable development version?). Shouldn't the proper route been to backport the patch to 3.2.0?
FYI, the patch (3.3.0-crashfix.patch) applies directly to 3.2.0 and solves the problem