Summary: | <media-libs/netpbm-10.49.00: code execution (CVE-2009-4274) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bug, graphics+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=546580 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Stefan Behte (RETIRED)
2010-03-06 14:53:55 UTC
The newest ebuild in tree is still vulnerable, CVE versioning is wrong: http://netpbm.svn.sourceforge.net/viewvc/netpbm/stable/converter/ppm/xpmtoppm.c?view=patch&r1=995&r2=1076&pathrev=1076 Please provide an patched ebuild or bump to a newer version. netpbm-10.49.00 now in the tree Cannot build netpbm-10.49.00 on Gentoo/FreeBSD because of using undefined signal SIGPWR. Upstream trunk already fix this problem. Here is a patch. http://netpbm.svn.sourceforge.net/viewvc/netpbm/trunk/lib/libsystem.c?r1=1129&r2=1149&view=patch I've confirmed that appling this patch make it possible to emerge netpbm-10.49.00 on Gentoo/FreeBSD. new issues -> new bugs 10.49.00 is stable now ... GLSA request filed. From Bryan Henderson <bryanh@giraffe-data.com> I got an update related to version 10.49 (segault in libc) : Thanks for the report. There was a bug with that symptom fixed in Release 10.50 (March 2010), and I can't reproduce the problem in current code. v 10.51-r1 emerged here at an almost stable 32bit x86 Gentoo w/o problems. This issue was resolved and addressed in GLSA 201311-08 at http://security.gentoo.org/glsa/glsa-201311-08.xml by GLSA coordinator Sean Amoss (ackle). |