Summary: | <dev-libs/gmime-{2.2.26,2.4.15}: buffer overflow (CVE-2010-0409) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | gnome, net-mail+disabled |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 324157 | ||
Bug Blocks: |
Description
Stefan Behte (RETIRED)
2010-03-06 15:39:33 UTC
2.4.14 was never added to the tree. We have got 2.2.x and 2.4.9 in tree, I checked the code of 2.4.9 and it seems to need the patch. Patch for 2.4.x here: http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz 2.2.x has the issue, too, but it's a different file: gmime/gmime-utils.h:#define GMIME_UUENCODE_LEN(x) ((size_t) (((((x) + 2) / 45) * 62) + 62)) gnome, can we stable 2.4.15 and drop 2.2.x? (In reply to comment #2) > gnome, can we stable 2.4.15 and drop 2.2.x? > It cannot be dropped yet since some apps still require it in the tree. I will try to get it backported: https://bugzilla.gnome.org/show_bug.cgi?id=614025 This security problem is solved then with the following versions: dev-libs/gmime-2.2.26 dev-libs/gmime-2.4.15 The package is being stabilized in bug 324157. ppc64 is still missing. ppc64 now has 2.4.17 and 2.2.26 stable. Please proceed. Thanks, everyone. GLSA request filed. This issue was resolved and addressed in GLSA 201401-19 at http://security.gentoo.org/glsa/glsa-201401-19.xml by GLSA coordinator Sean Amoss (ackle). |