Summary: | <media-libs/lib3ds-2.0.0_rc1: Array index error (CVE-2010-0280) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | games, gentoo.power | ||||||
Priority: | Normal | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://sketchup.google.com/support/bin/answer.py?hl=en&answer=141303 | ||||||||
Whiteboard: | B2 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Stefan Behte (RETIRED)
2010-03-06 15:19:00 UTC
According to http://secunia.com/advisories/38185/ this is fixed in version 2.0 Release Candidate 1, which is tagged in the upstream repo: http://code.google.com/p/lib3ds/source/browse/#svn%2Ftags%2Flib3ds-2.0.0-rc1 Maintainers, please provide an updated ebuild for this security issue. @games: ping, need a bump. Security bumped. Arches, please stabilize: =media-libs/lib3ds-2.0.0_rc1 Target arches: amd64 ppc ppc64 x86 Created attachment 358922 [details, diff]
lib3ds-2.0.0_rc1.ebuild.patch
=media-libs/lib3ds-2.0.0_rc1 fails compile here ~amd64 if not eutoreconf because of links in the examples i think. i attach the patch.
Salud.
I couldn't reproduce that behavior here, could you please attach a full build.log? Created attachment 358940 [details]
build.log
here it is.
Salud.
amd64 stable x86 stable @Iván Atienza Thank you. Not knowing that I killed examples directory in all source autotool files to get it built :-). ppc64 stable ppc stable GLSA drafted and ready for review. Maintainers, please drop the vulnerable version. Maintainers are there any reasons we need to keep 1.3.0 around as it is still vulnerable? Did anyone confirm that lib3ds-2 doesn't break any of the packages that use lib3ds? @maintainers: can we clean lib3ds-1.3.0. This has been in cleanup mode for approximately 6 months. Will clean in 15 days if no response is given. it's gone Maintainer(s), Thank you for cleanup! This issue was resolved and addressed in GLSA 201405-23 at http://security.gentoo.org/glsa/glsa-201405-23.xml by GLSA coordinator Sean Amoss (ackle). |