Summary: | <app-office/texmacs-1.0.7.2-r1: Insecure LD_LIBRARY_PATH setting (CVE-2010-3394) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | grozin | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | B1 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Bug Depends on: | |||||||
Bug Blocks: | 337534 | ||||||
Attachments: |
|
Description
Alex Legler (RETIRED)
2010-09-15 18:04:09 UTC
Upstream will be informed soon, waiting for the issues to be published. The Red Hat bug at https://bugzilla.redhat.com/show_bug.cgi?id=638427 is now public. (In reply to comment #2) > The Red Hat bug at https://bugzilla.redhat.com/show_bug.cgi?id=638427 is now > public. Does this mean I may commit the fix to the tree? The fix is trivial (honestly speaking, I think nobody uses the TeXmacs - MuPAD interface: MuPAD is dead, and I doubt the interface worked with the latest versions of MuPAD before its death; so, the risk is minimal). (In reply to comment #3) > Does this mean I may commit the fix to the tree? Yes, please, thank you. I am making this bug public now too. Fix committed. Now we have to stabilize 1.0.7.2-r1 as soon as possible, and remove 1.0.7.2. Or, even better, stabilize 1.0.7.10, and remove 1.0.7.2, 1.0.7.2-r1. Thank you. Arches, please stabilize =app-office/texmacs-1.0.7.2-r1 texmacs-1.0.7.10-r1 has an unstable qt4 USE flag, and the ebuild seems to suggest it's not masked. We're going to do a fast-track stabilization here, so let's avoid the trouble now. (In reply to comment #6) > texmacs-1.0.7.10-r1 has an unstable qt4 USE flag, and the ebuild seems to > suggest it's not masked. Yes, it's not masked for a few versions already. The qt4 port is becoming much better, and is already quite usable. Maybe, it's time to remove the warning from pkg_setup. But the plain X version (-qt4) is still more stable. Created attachment 266397 [details]
Build log
See QA notice
x86 stable. Thanks. ppc stable amd64 done. I am ignoring the QA issues for now since security problems are of higher priority Stable on alpha. What does the message * QA Notice: The following files contain insecure RUNPATHs * Please file a bug about this at http://bugs.gentoo.org/ * with the maintaining herd of the package. * usr/libexec/TeXmacs/bin/texmacs.bin actually mean? What is RUNPATH? And by what is it determined? alpha/sparc stable Thanks, folks. GLSA request filed. This issue was resolved and addressed in GLSA 201401-27 at http://security.gentoo.org/glsa/glsa-201401-27.xml by GLSA coordinator Sean Amoss (ackle). |