Summary: | sys-apps/dbus < 1.1.20 Security policy flaw (CVE-2008-0595) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | cardoe, compnerd, steev | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://secunia.com/advisories/29148/ | ||||||
Whiteboard: | A4 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2008-02-25 21:11:00 UTC
Created attachment 144644 [details, diff]
CVE-2008-0595.patch
Proposed patch.
Adding Doug and Steev as maintainers. Please prepare an updated ebuild and attach it to this bug. Do not commit anything to CVS yet, this bug is confidential until wednesday. Adding compnerd since I have sporadic internet access and won't be online very often. Upstream just released dbus 1.1.20 which includes this fix. Also includes the fix for another dbus bug that is currently open. Would like to commit dbus 1.1.20 and mark stable as soon as possible. Would be removing both 1.0.2 and 1.1.4 since they are both vulnerable if possible. Or would the security team prefer we simply patch 1.0.2 and 1.1.4 for now? I'm on board with steev's plan. dbus 1.1.x series is a shipping version in several mainline distros now and we're hoping to see this as the main version in Gentoo as well. Additionally D-Bus upstream calls 1.1.x their "Stable Release" and 1.0.x as Legacy. By the way, this flaw is now public. It's been announced on the dbus ML. @comment 04: We leave it up to the maintainer wether to patch or bump. Please update URI with link to release announcement. Next time just commit when the issue is public. No reason to wait for security. (In reply to comment #8) > @comment 04: We leave it up to the maintainer wether to patch or bump. > > Please update URI with link to release announcement. > > Next time just commit when the issue is public. No reason to wait for security. > It's already been committed. I've just been trying to test everything before announcing it. If you want to proceed with making the GLSA. We'll be only supporting 1.1.20 from here out. Thx Doug. Arches please test and mark stable. Target keywords are: dbus-1.1.20.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd" amd64 stable x86 stable alpha/ia64/sparc stable ppc64 done Stable for HPPA. no stable keywords for mips. ppc stable Fixed in release snapshot. time for vote. I tend to vote NO. arm/s390 and sh (not listed here) done by Mike NO too, closing. |