Summary: | app-arch/rpm: buffer overflow | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Raphael Marichez (Falco) (RETIRED) <falco> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | sanchan |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/22740/ | ||
Whiteboard: | B2 [glsa] Falco | ||
Package list: | Runtime testing required: | --- |
Description
Raphael Marichez (Falco) (RETIRED)
2006-11-06 01:53:39 UTC
I'll try to have the fix in portage as soon as possible. The issue is not so critical beacuse rpm seems to be totally broken (bug #153974, #153292, #153280) and doesn't work at all. I'm trying to have at least one version working. Another reason for the low level of severity is that the overflow vulnerability can be exployted only with LANG=ru_RU.UTF-8. The provided patch: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=139715 apply without errors to 4.4.6-r2, I'm testing it right now the ebuild. I'm going to try the patch also on 4.4.7 in the next 2 hours. Upstream patch in portage for rpm 4.4.6 and 4.4.7, version bump for security fix. Thanks Sandro . This was really fast ! Since when do we mark (security-)bumped packages directly as stable? (In reply to comment #5) > Since when do we mark (security-)bumped packages directly as stable? > I don't know, but as far as I can remember it is the policy for security-bump of stable ebuilds. Tobias, Sandro just to clarify: it's usually up to the package maintainer wether to bump directly to stable or let arches do the stable marking. (In reply to comment #7) > Tobias, Sandro just to clarify: it's usually up to the package maintainer > wether to bump directly to stable or let arches do the stable marking. Where's that documented? I only knew (and still can only find) the process described here: http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap4_sect1 Tobias, yeah that is normal procedure. For very small fixes/very urgent issues maintainers sometimes bump directly to stable. Ok then ... I was just kinda confused as I'm watching bug-mails for the security@g.o alias now for nearly two years and can't remember seeing a bump directly to stable in that time. GLSA 200611-08, thanks everybody |