Bug 213770 (CVE-2007-6703)

Comment 1 Robert Buchholz (RETIRED) 2008-03-18 02:47:16 UTC

We do not have >=0.9.2 in the tree, so CVE-2008-1136 should not affect us. However, CVE-2007-6703 might still be a valid problem.

pda herd, is this ebuild still maintained?

Comment 2 Robert Buchholz (RETIRED) 2008-04-01 18:09:46 UTC

pda herd, ping.

Comment 3 Pierre-Yves Rofes (RETIRED) 2008-05-12 10:57:08 UTC

(In reply to comment #2)
> pda herd, ping.
> 

any news here?

SynCE ebuilds are maintained in an overlay.  See #178807.  I'm trying to get it in the tree :)

Comment 5 Federico Ferri (RETIRED) 2008-11-14 18:01:51 UTC

next step is to stabilize synce* 0.12, so we can remove those unsecure packages

Comment 6 Robert Buchholz (RETIRED) 2008-11-14 19:38:29 UTC

is synce-dccm replaced by another package in synce 0.12? Since we waited half a year on this bug already, I don't think we need 0.12 stable right now, how does a two week window of trying it in ~arch sound?

Comment 7 Federico Ferri (RETIRED) 2008-11-14 20:34:35 UTC

yes. now it's called synce-odccm.
actually we have version 0.11.1 and 0.12, which are currently in ~arch

I would prefer to see synce-hal instead of any *dccm as this is the direction $UPSTREAM is going.

IANADev but I'm happy for a short stabilisation given the amount of time it spent in the overlay.

Comment 9 Robert Buchholz (RETIRED) 2008-11-26 23:31:20 UTC

Ian/Federico, can you please point out an exact list of stable targets for synce? Then I'll add arches to CC on this bug.

Furthermore, is the fact that the Gentoo PDA guide is not yet finished a blocker for stabilization?

Comment 10 Robert Buchholz (RETIRED) 2009-01-13 17:01:06 UTC

ping, Ian and Federico, please look at the previous comment.

Comment 11 Alex Legler (RETIRED) 2009-08-28 08:21:10 UTC

ping?

hmm, where was I?

The only arches I know SynCE is regularly used on is x86 and amd64.  There are some bsd'ers but don't think they use Gentoo... Is that enough?

Comment 13 Robert Buchholz (RETIRED) 2009-09-28 02:45:10 UTC

With stable targets I meant which ebuilds (package names, versions) to go stable.

Comment 14 Stefan Behte (RETIRED) 2009-11-07 06:49:41 UTC

Adjusting whiteboard severity because of remote code execution (CVE-2008-1136).
Changing whiteboard state to ebuild, as I don't see an ebuild in the tree.

*ping* to pda herd!

Comment 15 Stefan Behte (RETIRED) 2010-10-07 22:30:11 UTC

*ping*
Please bump, then let us close this.

OK, what exactly needs to be done here?  synce-dccm could probably be removed but I can't remember if it's needed for 2003 or earlier devices.  synce-hal or synce-odccm definitely obsolete it.

PS, what pda herd? :p

OK, the original bug was about vdccm which is no longer in the tree nor supported by SynCE.

It's successors synce-odccm and synce-hal are well past these affected versions.

erg this bug can be closed.  After all this isn't a stabilisation bug, just a vulnerability one.

:)

Comment 18 Samuli Suominen (RETIRED) 2010-12-19 00:25:54 UTC

synce-dccm is no longer in portage (pending on bug 340007 for reinclusion).
and because it's been fixed upstream, if this is ever going to be restored, it'll be fixed

feel free to close this bug as you see fit

Comment 19 Alex Legler (RETIRED) 2010-12-19 15:47:42 UTC

Package was never stable. Closing noglsa.Closing noglsa.