Summary: | xfce-base/libxfcegui4 < 4.4.2: possible double free(), format string (CVE-2007-6532) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Christian Hoffmann (RETIRED) <hoffie> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | nightmorph, xfce |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.xfce.org/documentation/changelogs/4.4.2 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 201747 | ||
Bug Blocks: |
Description
Christian Hoffmann (RETIRED)
2007-12-04 22:36:37 UTC
Bleh, sorry for the bug spam. Getting the summary right is hard. ;) It was wrong before, should be better now, but I'm still not sure. First issue, libxfce4gui: 4.4: http://svn.xfce.org/index.cgi/xfce4/revision?rev=25554 trunk: http://svn.xfce.org/index.cgi/xfce4/revision?rev=25555 The "%" one: 4.4: http://svn.xfce.org/index.cgi/xfce4/revision/?rev=25677 xfce: ok for 4.4.2 going stable? (In reply to comment #4) > xfce: ok for 4.4.2 going stable? > bug 201747 All but MIPS stable on bug 201747, setting GLSA. The % issue is not a security problem, as it only means that %U and other strings do not get removed from Exec calls in .desktop files. CVE-2007-6532 was assigned to the double free. GLSA 200801-06 (In reply to comment #9) > GLSA 200801-06 > . . . I know the GLEP was already sent and posted to the forums, but you should be aware that I finally removed the Upgrading section last month, as 4.2 was removed from Portage a looooooong time ago. Even 4.4 and 4.4.1 have been removed from the tree. Anyway, the upgrade path outlined in the guide no longer exists; drac had been doing many ebuild changes so that it would have required different procedures. Users will have to visit CVS[1] to see the last version of the guide with that chapter. [1] http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/xfce-config.xml?rev=1.14&view=markup Thanks for pointing that out, I removed the reference. |