Summary: | app-office/openoffice{-bin}-2.0.2 fixes heap overflow in included curl | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bugreports, office |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://qa.openoffice.org/issues/show_bug.cgi?id=59032 | ||
Whiteboard: | B2 [glsa] DerCorny | ||
Package list: | Runtime testing required: | --- |
Description
Carsten Lohrke (RETIRED)
2006-03-16 08:24:45 UTC
arches please test and mark stable stable on amd64 ...and he looked down upon openoffice-bin and saw that it was stable... and then there was much rejoicing... (stable on x86) Ready for glsa mhh, wait a second: whats up with normal openoffice? There is a curl useflag and it deps to curl, but does it really link to the external curl of gentoo (fixed long ago) or does it use the one shipped with openoffice? Indeed, old builds of openoffice-2.0.1 should be vulnerable too if you didn't use the curl-use-flag (cause in this case the internal curl is being used for the build). I removed this use-flag yesterday, and we now hard-depend on the external curl, so for someone doing a fresh build, this is no issue anymore. Do you want to do me a revision bump (without changes) so that everyone gets it? Think this would be the best solution, as 2.0.2 is not in the condition to go stable on most archs. yes, please revbump it I've revision-bumped openoffice-2.0.1, the old ebuild is still in there but is not vulnerable anymore cause of the aformentioned change I did yesterday. Also I've removed openoffice-bin-2.0.1 from the tree, so I think everything should be set for the GLSA. openoffice-2.0.1-r1 is stable, ready for GLSA
Fixed versions :
>=openoffice-2.0.1-r1
>=openoffice-bin-2.0.2
GLSA 200603-25 Thanks everybody. |