Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 120106

Summary: x11-libs/libast: 0.7 fixes buffer overflow (CVE-2006-0224)
Product: Gentoo Security Reporter: SpanKY <vapier>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: wolf31o2
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://article.gmane.org/gmane.comp.window-managers.enlightenment.announce/9
Whiteboard: C1 [glsa ] DerCorny
Package list:
Runtime testing required: ---

Description SpanKY gentoo-dev 2006-01-23 15:07:59 UTC 
i'm pretty sure this doesnt affect anything in the portage tree (outside of libast itself) ... Eterm for sure isnt setid anything

ive already added 0.7 to portage

Release Notes:
--------------

This release also contains a security fix for CVE-2006-0224, a buffer
overflow vulnerability discovered by Rosiello Security
(www.rosiello.org) which could lead to privilege escalation in
setuid/setgid applications using LibAST's configuration engine.  This
includes any platforms on which Eterm is setuid/setgid (e.g., setgid
utmp).  Thanks to Angelo Rosiello and his team for discovering this
issue and coordinating with me for the fix and release.

More details on the vulnerability are available at
http://www.rosiello.org/en/read_bugs.php?id=25
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-23 15:27:59 UTC 
arches, pls test and mark stable, thx

... bah, this phrase is getting annoying, i need to find cool alternatives ...
Comment 2 Markus Rothe (RETIRED) gentoo-dev 2006-01-23 22:36:16 UTC 
stable on ppc64
Comment 3 Tobias Scherbaum (RETIRED) gentoo-dev 2006-01-24 05:49:53 UTC 
ppc stable
Comment 4 René Nussbaumer (RETIRED) gentoo-dev 2006-01-24 06:28:17 UTC 
Stable on hppa
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2006-01-24 07:34:01 UTC 
sparc stable.
Comment 6 Joshua Jackson (RETIRED) gentoo-dev 2006-01-24 23:23:20 UTC 
stable on x86
Comment 7 Luis Medinas (RETIRED) gentoo-dev 2006-01-25 02:52:40 UTC 
amd64 done
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2006-01-25 13:41:43 UTC 
Stable on alpha + ia64.
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-25 13:44:05 UTC 
ready for glsa
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-29 06:59:25 UTC 
GLSA 200601-14