Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 209334

Summary: glsa format throws false positives on media-libs/netpbm
Product: Gentoo Security Reporter: Raphael Marichez (Falco) (RETIRED) <falco>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-02-08 11:05:09 UTC 
Hi,

"Buffer overflow in the readImageData function in giftopnm.c in netpbm
before 10.27 in netpbm before 10.27 allows remote user-assisted
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via a crafted GIF image, a similar issue to
CVE-2006-4484."

Actual latest stable ebuilds for all arches are fixed -> no glsa will be needed.

This patch has been introduced in 10.27 but it was only been identified as a security issue (related to old CVE-2006-4484) a few days ago.

for more information:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464056
https://issues.rpath.com/browse/RPL-2216
Comment 1 Markus Meier gentoo-dev 2008-02-08 18:00:07 UTC 
done.
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-02-08 18:00:46 UTC 
thanks a lot Markus
Comment 3 SpanKY gentoo-dev 2008-02-09 22:53:17 UTC 
will people stop "fixing" netpbm

the old versions should not be removed, nor are they vuln

if the glsa says "<10.27", then it's broken and needs to have a more exact version check added to it
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-10 15:03:54 UTC 
If there is an error in one of the netpbm GLSAs, please post the fixes needed and I'll update the GLSA.
Comment 5 SpanKY gentoo-dev 2008-02-10 21:39:22 UTC 
ive never actually played with the GLSA format so i cant post a diff

while i dont know the first version in the 10.26.x series to be fixed, 10.26.49 for sure is not vuln
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-11 21:09:39 UTC 
I've added 10.26.48 and 10.26.49 as unaffected on glsa-200508-04 and glsa-200510-18. Is there anything further to do here?
Comment 7 SpanKY gentoo-dev 2008-02-13 20:43:59 UTC 
there are going to be more 10.26.x releases, so unless the glsa allows all 10.26.x where x is >= 49, people are going to keep screwing things up
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-02-13 21:09:17 UTC 
(In reply to comment #7)
> there are going to be more 10.26.x releases, so unless the glsa allows all
> 10.26.x where x is >= 49, people are going to keep screwing things up
> 

Unfortunately it doesn't, the only way would be to make sure that all the 10.26.x were unaffected... By the way, why do you need 10.26.x series so badly when 10.40.x and 10.41.x are out there?
Comment 9 SpanKY gentoo-dev 2008-02-15 20:07:21 UTC 
they are different release series.  one is the "stable" branch while the other is the "advanced and commonly broken" series.

sounds like the glsa format needs updating.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2008-02-16 12:19:39 UTC 
> sounds like the glsa format needs updating.

We've known that for a long time. To make that feasible we need someone to fix up glsa-check (and others). I guess noone have had the time to do so.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-04-14 14:22:30 UTC 
i've fixed this specific issue by correcting GLSA-200510-18. Of course this does not fix the global issue that GLSAs lack ranges.