Summary: | dev-util/cscope arbitrary code execution | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Harlan Lieberman-Berg (RETIRED) <hlieberman> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | emacs, vim |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2541 | ||
Whiteboard: | B2 [glsa] DerCorny | ||
Package list: | Runtime testing required: | --- |
Description
Harlan Lieberman-Berg (RETIRED)
2006-05-19 18:51:51 UTC
vim or emacs herd, please check if we are really vulnerable (seems to be an old problem) and provide fixed ebuilds in case that we are, thank you. vim/emacs teams: please advise Can you provide a pointer to the list of vulnerabilities? I'm not sure what you're asking -- do you want us to do a code audit? No, was asking if you could provide some insight on that problem, like if you know about a patch or a new version that we could bump to. The closest thing we have to a patch would be in : http://www.us.debian.org/security/2006/dsa-1064 It is my opinion that our port is vulnerable. cscope-15.5-r5.ebuild includes several patches but none of them address the 30+ potential buffer overflows the debian patch at http://security.debian.org/pool/updates/main/c/cscope/cscope_15.5-1.1sarge1.diff.gz addresses. mkennedy, since you are in the emacs herd and said that we are probably vulnerable, could you please provide a fixed revbump? revbumped to cscope-5.15-r6.ebuild w/ the following: src_unpack() { unpack ${A} # ~30 buffer overflows fix: Gentoo Bug #133829, patch developed by # the Debian Security Team (thanks to those guys), CVE-2004-2541, # Moritz Muehlenhoff. The Debian patch also includes the tempfile # fix (previously ${PN}-${PV}-tempfile.patch) epatch ${P}-debian-security.patch arches please test and stable cscope-5.15-r6, thanks cscope-15.5-r6 stable on ppc64 alpha stable. ppc stable amd64 stable. sparc stable. x86 done *~_~* stable on hppa GLSA 200606-10 arm, ia64, mips, s390 don't forget to mark stable to benifit from the GLSA. |