The security issue was found in current versions, allowing access to local files over the browser. It is recommended to bump versions to 6.28.10 and 6.30.02 Reproducible: Always
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e4230d64773dc7194cced43acf852012680b7f3b commit e4230d64773dc7194cced43acf852012680b7f3b Author: Guilherme Amadio <amadio@gentoo.org> AuthorDate: 2023-11-30 10:39:50 +0000 Commit: Guilherme Amadio <amadio@gentoo.org> CommitDate: 2023-11-30 12:35:02 +0000 sci-physics/root: add 6.30.02, drop 6.30.00 Closes: https://bugs.gentoo.org/918895 See also: https://root.cern/about/security Signed-off-by: Guilherme Amadio <amadio@gentoo.org> sci-physics/root/Manifest | 2 +- sci-physics/root/{root-6.30.00.ebuild => root-6.30.02.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=89fdadffee2a558d6bfd1778ba03d231e8ef6644 commit 89fdadffee2a558d6bfd1778ba03d231e8ef6644 Author: Guilherme Amadio <amadio@gentoo.org> AuthorDate: 2023-11-30 10:42:02 +0000 Commit: Guilherme Amadio <amadio@gentoo.org> CommitDate: 2023-11-30 12:35:02 +0000 sci-physics/root: add 6.28.10, drop 6.28.08 Bug: https://bugs.gentoo.org/918895 Signed-off-by: Guilherme Amadio <amadio@gentoo.org> sci-physics/root/Manifest | 2 +- sci-physics/root/{root-6.28.08.ebuild => root-6.28.10.ebuild} | 0 2 files changed, 1 insertion(+), 1 deletion(-)
Just for the record, please note that merely having the software installed does not create any problems. The security problem happens when starting a web-based TBrowser (see https://root.cern/about/security for a succinct explanation), which opens a port that allows unauthenticated connections with access to the ROOT prompt. I unfortunately added a tag when bumping, which closed the bug, but feel free to reopen if you think that's appropriate.
Hi, yes, I understand nature of the problem and risks and conditions. I think all what could be done was already done. Perhaps the comment you did in the previous entry, that perhaps should be displayed to the user in the post install message?
(In reply to Guilherme Amadio from comment #2) > Just for the record, please note that merely having the software installed > does not create any problems. The security problem happens when starting a > web-based TBrowser (see https://root.cern/about/security for a succinct > explanation), which opens a port that allows unauthenticated connections > with access to the ROOT prompt. Hence my initial C4 severity. It should be ~4 actually, given that there are no stable versions. > I unfortunately added a tag when bumping, which closed the bug, but feel > free to reopen if you think that's appropriate. No need to reopen, with vulnerable versions gone and no GLSA to issue we are all done.
(In reply to Rafal Lalik from comment #3) > Hi, yes, I understand nature of the problem and risks and conditions. > I think all what could be done was already done. Perhaps the comment you did > in the previous entry, that perhaps should be displayed to the user in the > post install message? Sure, I will add a message of warning. Users should be aware.