Bug 249039 (CVE-2008-4829)

Comment 1 Robert Buchholz (RETIRED) 2008-11-27 11:33:01 UTC

*** Bug 245959 has been marked as a duplicate of this bug. ***

Comment 2 Robert Buchholz (RETIRED) 2008-11-27 11:33:51 UTC

B1 because it is a client, and you need to entice a user to visit the malicious URL.

Comment 3 Robert Buchholz (RETIRED) 2008-11-27 11:35:56 UTC

We can either bump:

New for 1.64.0
------------------------------------
Wed Nov 19 09:00:06 EST 2008
* Security patch for CVE-2008-4829, multiple buffer overflows in http.c
  that could result in remote exploit.


... or patch:
http://streamripper.cvs.sourceforge.net/viewvc/streamripper/sripper_1x/lib/http.c?view=patch&r1=1.50&r2=1.51&pathrev=sripper-1_64_0

Comment 4 Samuli Suominen (RETIRED) 2008-11-27 12:13:51 UTC

1.64.0 is now in Portage. Test and stable.

Comment 5 Robert Buchholz (RETIRED) 2008-11-27 12:42:55 UTC

Arches, please test and mark stable:
=media-sound/streamripper-1.64.0
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"

Comment 6 Samuli Suominen (RETIRED) 2008-11-27 14:42:39 UTC

For hppa this means stabilizing cdk without ~arch testing, DEPEND.bad, RDEPEND.bad, media-sound/streamripper/streamripper-1.64.0.ebuild: ~hppa(default/linux/hppa/2008.0) ['dev-libs/cdk'] or mass unkeywording 
of media applications.

Comment 7 Robert Buchholz (RETIRED) 2008-11-27 14:53:27 UTC

We can add a grace period for cdk ~hppa testing and stable it in a week.

Comment 8 Jeroen Roovers (RETIRED) 2008-11-27 16:20:10 UTC

Stable for HPPA.

May I ask why streamripper-1.64.0 ebuild depends on cdk ? I removed the cdk dep ( cdk not installed on my system ) and it built just fine. Output was

Using included CDK library?        no

Which means neither did it use the internal one nor is there a system one.

./configure --help says

--with-included-cdk use the cdk library included with streamripper

No option is there for using system cdk.

I conclude that

a) cdk is optional and unternal only - maybe needs a cdk useflag
b) it seems that streamripper will not build against a system cdk at all ( unsure about this - please check with ldd )

Sorry if it was wrong to post here instead of doing a new bug right away.

Comment 10 Samuli Suominen (RETIRED) 2008-11-28 05:13:20 UTC

Next arch touching this.

- Remove dev-libs/cdk from RDEPEND.
- Remove unused "inherit eutils"

Thank you.

Comment 11 Markus Meier 2008-11-28 20:43:23 UTC

(In reply to comment #10)
> Next arch touching this.
> 
> - Remove dev-libs/cdk from RDEPEND.
> - Remove unused "inherit eutils"
> 
> Thank you.
> 

done, as amd64/x86.

Comment 12 Samuli Suominen (RETIRED) 2008-11-28 20:48:22 UTC

For The Record, cdk was used for cstreamripper which is supposed to be some sort of ncurses frontend to streamripper itself. I remember looking at this issue like an year ago, and seeing some upstream message it was temp. disabled for a reason.

Anyway, I will investigate this issue more closely later (again).

Luckily, streamripper has other frontends available in Portage.

Comment 13 Tobias Scherbaum (RETIRED) 2008-11-28 21:17:25 UTC

ppc stable

Comment 14 Raúl Porcel (RETIRED) 2008-11-29 17:01:02 UTC

alpha/sparc stable

Comment 15 Stefan Behte (RETIRED) 2008-11-30 16:13:09 UTC

ppc64: *PING*

Comment 16 Brent Baude (RETIRED) 2008-12-01 15:40:50 UTC

ppc64 done

Comment 17 Tobias Heinlein (RETIRED) 2008-12-07 20:22:59 UTC

GLSA request filed.

Comment 18 Pierre-Yves Rofes (RETIRED) 2009-01-11 14:15:53 UTC

GLSA 200901-05