Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 150229

Summary: net-nntp/tin 1.8.1 and below - buffer overflow
Product: Gentoo Security Reporter: Matt Drew (RETIRED) <aetius>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: net-news
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa] aetius
Package list:
Runtime testing required: ---

Description Matt Drew (RETIRED) gentoo-dev 2006-10-05 21:21:56 UTC
portaudit:  http://www.freebsd.org/ports/portaudit/19a92df1-548d-11db-8f1a-000a48049292.html

Sites referenced from there:

http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.005-tin.html
ftp://ftp.tin.org/pub/news/clients/tin/stable/CHANGES

1.8.2 with the fix is already in portage, but is still classed unstable.  Stable is 1.6.2, which is vulnerable according to the OpenPKG link.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-11 05:23:49 UTC
net-news, can we start stable marking of 1.8.2?
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-10-18 05:41:20 UTC
ping net-news
Comment 3 Sven Wegener gentoo-dev 2006-10-22 08:41:30 UTC
Yes, 1.8.2 is ready for stable.
Comment 4 Matt Drew (RETIRED) gentoo-dev 2006-10-26 06:06:15 UTC
CC'ing arches for stabilization.

keywords: arm, ia64, sparc, x86
Comment 5 Markus Meier gentoo-dev 2006-10-26 11:38:35 UTC
1. emerges on x86
2. passes collision test
3. seems to work

net-nntp/tin-1.8.2  USE="crypt ipv6 ncurses nls -debug"

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18.1 i686)
=================================================================
System uname: 2.6.18.1 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.5
Last Sync: Thu, 26 Oct 2006 14:50:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 6 Chris Gianelloni (RETIRED) gentoo-dev 2006-10-26 12:15:47 UTC
x86 done
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2006-10-27 06:27:48 UTC
sparc stable.
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2006-10-29 11:41:08 UTC
ia64 done.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-20 23:45:01 UTC
Called for a draft in GLSAmaker. Any reason that hasn't been done before?
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-24 05:25:59 UTC
Better late than never.....

GLSA 200611-18