Summary: | dev-util/valgrind <3.4.0 untrusted search path vulnerability (CVE-2008-4865) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | griffon26, nunoplopes | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4865 | ||||||
Whiteboard: | B1 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Stefan Behte (RETIRED)
2008-11-02 20:03:12 UTC
Created attachment 170644 [details, diff] Patch for valgrind SVN HEAD This is the same solution as given by solar for gdb in bug #88398. It applies to valgrind SVN HEAD, but not to valgrind 3.3.1. Valgrind 3.3.1 has a problem with vg_stat that has been solved in SVN and I'm not sure this patch is going to do much good on 3.3.1. Has valgrind upstream been notified of this issue? I didn't find anything on the mailing lists or in the bug tracker. Anyone? Were waiting on upstream. Change the whiteboard to reflect this. Upstream bug report: https://bugs.kde.org/show_bug.cgi?id=177682 valgrind 3.4 was released yesterday and it fixes this problem. $ svn log -c 8798 svn://svn.valgrind.org/valgrind/trunk ------------------------------------------------------------------------ r8798 | dirk | 2008-11-22 13:03:19 +0100 (Sat, 22 Nov 2008) | 3 lines ignore .valgrindrc files that are world writeable or not owned by the current user (CVE-2008-4865) ------------------------------------------------------------------------ Arches, please test and mark stable: =dev-util/valgrind-3.4.0 Target keywords : "amd64 ppc ppc64 x86" there's a minor issue with this ebuild, apart from that it looks good on amd64/x86: configure: WARNING: unrecognized options: --with-x It's a harmless warning. The previously optional suppression files for X are now always included, so the X use flag will be removed as was the --with-x option to configure. I'll fix that in a next version to not interfere with testing for stabilization. amd64/x86 stable ppc64 done ppc stable, ready for glsa-voting Why is this B4? It should be B1. GLSA 200902-03 |