Summary: | app-arch/lha: multiple vulnerabilities (CVE-2006-433[4-8]) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | MATSUU Takuto (RETIRED) <matsuu> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | normal | CC: | usata | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | B2 [glsa] Falco | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Bug Depends on: | 145511 | ||||||||||
Bug Blocks: | |||||||||||
Attachments: |
|
Description
MATSUU Takuto (RETIRED)
2006-10-13 19:31:54 UTC
Created attachment 99626 [details]
app-arch/lha/lha-1.14i_p20050924.ebuild
Created attachment 99627 [details, diff]
app-arch/lha/files/lha-1.14i_p20050924-CVE-2006-4334-8.patch
Created attachment 99817 [details]
app-arch/lha-1.14i_p20050924.ebuild
Patched version was released by upstream.
lol it's dated october 17th :) http://sourceforge.jp/projects/lha/ (japanese local time : lol it's dated october 17th :) http://sourceforge.jp/projects/lha/ (japanese local time :þ ) Usata, could you have a look please and bump this new version. ah, media-sound/timidity++ also has vulnerabilities. Should I post a new bug? I had talked with usata and commit app-arch/lha-1.14i_p20050924.ebuild in his stead. I had tried unsuccessfully to fix media-sound/timidity++. This versioning sucks a bit, triggers a false positive for an ancient GLSA: app-arch/lha-1.14i_p20050924: vulnerable via glsa(200405-02) ( ver-rev <= 114i-r1 && ver-rev not >= 114i-r2 ), affects ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'm68k', 'ppc', 'ppc-macos', 'ppc64', 's390', 'sh', 'sparc', 'x86', 'x86-fbsd') app-arch/lha-1.14i_p20050924: vulnerable via glsa(200409-13) ( ver-rev <= 114i-r3 && ver-rev not >= 114i-r4 ), affects ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'm68k', 'ppc', 'ppc-macos', 'ppc64', 's390', 'sh', 'sparc', 'x86', 'x86-fbsd')
> This versioning sucks a bit, triggers a false positive for an ancient GLSA:
>
This new versioning is the right one (regarding upstream versioning), so i've just updated GLSA 200405-02 & GLSA 200409-13 (my changes can't hurt anything).
Concerning glsa-check, you can go on with lha-1.14i_p20050924, but "emerge" will continue to think that 114 is the newer, bad.
should I rename it to lha-114i-r6? renamed. All archs: test and mark stable app-arch/lha-114i-r6 sparc stable --- builds and runs all tests. Hard for me to test further because I can't read the documentation. x86 done... tested with games-fps/quake1-data... ;] Thanks a lot Matsuu ppc-macos stable amd64 done. ppc stable All tests passed. Stable on alpha. Stable on ia64. ppc64 stable, thanks stable on hppa Removed old version. Falco is a GLSA needed here? (In reply to comment #23) > Falco is a GLSA needed here? > Some of the vulnerabilities concern an execution of code, of course a GLSA is needed (sorry for the delay :o ) GLSA 200611-24 |