| Summary: | app-text/tetex includes vulnerable xpdf code (CVE-2007-3387) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Matt Fleming (RETIRED) <mjf> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | pylon, rbu, tex |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://secunia.com/advisories/26293/ | ||
| Whiteboard: | A2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 170861 | ||
| Bug Blocks: | |||
|
Description
Matt Fleming (RETIRED)
2007-08-08 20:42:50 UTC
CC'ing maintainer and setting whiteboard status. Adding CVE number After talking to aballier, I just committed app-text/tetex-3.0_p1-r4 that should fix this issue. I also cleaned out old versions of tetex-3, but 2 probably still contains vulnerable code. Pylon said he'd look into what needs 2.0 before that can be cleaned out. any updates about the 2.x series? (In reply to comment #4) > any updates about the 2.x series? Not from me. Pylon, does anything still need it? > Not from me. Pylon, does anything still need it?
AFAIK we can clean out tetex-2 from the tree. The only thing that holds us back is stabilising some ebuilds. Let me create a list tomorrow.
(In reply to comment #6) > > Not from me. Pylon, does anything still need it? > > AFAIK we can clean out tetex-2 from the tree. The only thing that holds us > back is stabilising some ebuilds. Let me create a list tomorrow. > Ok, so I guess we can just mark > 3.0_p1-r4 as unaffected, and < vulnerable (so including all 2.x series too, but since it will be removed soon it's no problem). is it ok with you? GLSA 200707-17. (In reply to comment #8) > GLSA 200707-17. > hmm it was 200709-17, sorry :/ |