Bug 344059 (CVE-2010-3999)

Comment 1 Pacho Ramos 2011-03-15 10:04:42 UTC

+*gnucash-2.4.4 (15 Mar 2011)
+
+  15 Mar 2011; Pacho Ramos <pacho@gentoo.org> -gnucash-2.4.0.ebuild,
+  -files/gnucash-2.4.0-fix-tests-linking.patch, +gnucash-2.4.4.ebuild:
+  Version bump with a lot of bugfixes, remove old.
+

But, please, wait a bit for stabilizing as 2.4 includes many changes over current stable and has been just unmasked

Comment 2 Tim Sammut (RETIRED) 2011-04-15 03:27:27 UTC

(In reply to comment #1)
> +*gnucash-2.4.4 (15 Mar 2011)
> +
> +  15 Mar 2011; Pacho Ramos <pacho@gentoo.org> -gnucash-2.4.0.ebuild,
> +  -files/gnucash-2.4.0-fix-tests-linking.patch, +gnucash-2.4.4.ebuild:
> +  Version bump with a lot of bugfixes, remove old.
> +
> 
> But, please, wait a bit for stabilizing as 2.4 includes many changes over
> current stable and has been just unmasked

Hi, Pacho. What do you think? Are you comfortable moving this forward? Thanks.

Comment 3 Pacho Ramos 2011-04-15 09:00:01 UTC

Sadly I think bug 359033 prevents us from stabilizing this, any help with that one is highly appreciated

Comment 4 Tim Sammut (RETIRED) 2011-05-01 03:08:55 UTC

(In reply to comment #3)
> Sadly I think bug 359033 prevents us from stabilizing this, any help with that
> one is highly appreciated

Hi, Pacho, folks.

Should we move to stabilize 2.4.5 now? Thanks!

Comment 5 Pacho Ramos 2011-05-01 09:45:35 UTC

I am really busy these days and couldn't test it :-/, but, if other gnome team member agrees with stabling it, ok :)

Comment 6 Gilles Dartiguelongue (RETIRED) 2011-05-02 09:05:53 UTC

I've had no problems with 2.4 series yet and 2.4.5 has all build failure fixes we actually can do something about so I'm ok with stabilization.

Comment 7 Tim Sammut (RETIRED) 2011-05-02 14:37:31 UTC

(In reply to comment #6)
> I've had no problems with 2.4 series yet and 2.4.5 has all build failure fixes
> we actually can do something about so I'm ok with stabilization.

Great, thanks again.

Arches, please test and mark stable:
=app-office/gnucash-2.4.5
Target keywords : "alpha amd64 ppc sparc x86"

Comment 8 Tobias Klausmann (RETIRED) 2011-05-02 16:53:24 UTC

Stable on alpha.

Comment 9 Markos Chandras (RETIRED) 2011-05-03 10:39:48 UTC

Does not work for me because of bug #344231

Comment 10 Gilles Dartiguelongue (RETIRED) 2011-05-03 14:34:43 UTC

(In reply to comment #9)
> Does not work for me because of bug #344231

That does not stop the build, it just makes it wait for a good amount of time for the find to complete (about 10 minutes on my laptop with python 2.6, 2.7 and 3.1).

Comment 11 Paweł Hajdan, Jr. (RETIRED) 2011-05-04 17:50:04 UTC

x86 stable

Comment 12 Thomas Kahle (RETIRED) 2011-05-04 17:53:29 UTC

x86 stable. Thanks.

Comment 13 Markos Chandras (RETIRED) 2011-05-04 19:34:49 UTC

amd64 done

Comment 14 Raúl Porcel (RETIRED) 2011-05-07 18:35:46 UTC

sparc keyword dropped

Comment 15 Kacper Kowalik (Xarthisius) (RETIRED) 2011-05-22 18:23:37 UTC

ppc stable, last arch done

Comment 16 Tim Sammut (RETIRED) 2011-05-23 02:32:00 UTC

Thanks, everyone. GLSA request filed.

Comment 17 GLSAMaker/CVETool Bot 2011-06-24 19:57:12 UTC

CVE-2010-3999 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3999):
  gnc-test-env in GnuCash 2.3.15 and earlier places a zero-length directory
  name in the LD_LIBRARY_PATH, which allows local users to gain privileges via
  a Trojan horse shared library in the current working directory.

Comment 18 GLSAMaker/CVETool Bot 2014-12-12 00:36:07 UTC

This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).