Summary: | <media-libs/openexr-1.7.0: multiple vulnerabilities (CVE-2009-{1720,1721}) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | vivo75 | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | B2 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Robert Buchholz (RETIRED)
2009-07-09 15:05:53 UTC
now public craig: CVE-2009-1722 was fixed in 2007 in gentoo and is not relevant anymore Created attachment 200439 [details, diff]
openexr-CVE-2009-1720+CVE-2009-1721.patch
patch in CVS HEAD.
Created attachment 200441 [details, diff]
openexr-1.6.1-CVE-2009-1720+CVE-2009-1721.patch
trivial backport to 1.6.1
please bump!
(In reply to comment #4) > Created an attachment (id=200441) [edit] > openexr-1.6.1-CVE-2009-1720+CVE-2009-1721.patch > > trivial backport to 1.6.1 > > please bump! Problem is, this breaks ABI, use nm -D --defined-only /usr/lib/libIlmImf.so.6.0.0 | awk '{print $3}' | c++filt to obtain it. Then, diffing the output gives me: -Imf::B44Compressor::B44Compressor(Imf::Header const&, int, int, bool) -Imf::B44Compressor::B44Compressor(Imf::Header const&, int, int, bool) +Imf::B44Compressor::B44Compressor(Imf::Header const&, unsigned long, unsigned long, bool) +Imf::B44Compressor::B44Compressor(Imf::Header const&, unsigned long, unsigned long, bool) Defined in /usr/include/OpenEXR/ImfB44Compressor.h, hence available for library consumers. Other changes are not defined in public headers thus may be considered safe. Oh, I did not notice. I checked, the CVS HEAD has the same LIBTOOL_CURRENT as the last release (6). We could either contact Florian Kainz about increasing it so their next release is ok and then amend the patch, or use the original patches by Drew Yao which should be ABI compatible. http://cvs.fedoraproject.org/viewvc/rpms/OpenEXR/devel/openexr-1.6.1-CVE-2009-1720-1.patch?revision=1.1&view=markup http://cvs.fedoraproject.org/viewvc/rpms/OpenEXR/devel/openexr-1.6.1-CVE-2009-1720-2.patch?revision=1.1&view=markup http://cvs.fedoraproject.org/viewvc/rpms/OpenEXR/devel/openexr-1.6.1-CVE-2009-1721.patch?revision=1.1&view=markup Since I prefer going with the upstream approach, I'd mail him if you have not done so yet. *ping* Test & stabilize: =media-libs/ilmbase-1.0.2 "alpha amd64 hppa ia64 ppc ppc64 s390 sh sparc x86" =media-libs/openexr-1.7.0 "alpha amd64 hppa ia64 ppc ppc64 s390 sh sparc x86" =media-gfx/openexr_viewers-1.0.2 "alpha amd64 hppa ia64 ppc ppc64 sparc x86" *** Bug 346657 has been marked as a duplicate of this bug. *** amd64 ok Stable for HPPA. Tested on SPARC: ilmbase-1.0.2, passed all tests, openexr-1.7.0 built OK but failed on one of the tests which aborted the testing process as it threw an assert, openexr_viewers-1.0.2 built OK, but has no tests to run through. I think that. It's up to you whether you can stabilise or not on SPARC, but personally I'd investigate the test failure and why it aborted. amd64 done. Thanks Agostino x86 stable alpha/ia64/sparc stable, s390/sh keywords dropped Stable for PPC. ppc64 done. @security: last arch done, into you hands and vulnerable versions removed from tree as well, add media-video@ back if you need something, thanks! GLSA request filed. hum, may it's time to close? This issue was resolved and addressed in GLSA 201312-07 at http://security.gentoo.org/glsa/glsa-201312-07.xml by GLSA coordinator Chris Reffett (creffett). |