Bug 383991

Comment 1 Tony Vroon (RETIRED) 2011-09-22 14:59:28 UTC

+*audacious-3.0.3 (22 Sep 2011)
+
+  22 Sep 2011; Tony Vroon <chainsaw@gentoo.org> -audacious-3.0.2.ebuild,
+  +audacious-3.0.3.ebuild:
+  Version bump. Ebuild improvements by Agostino "ago" Sarubbo close bugs
+  #380577, #383357 & #383649. Remove vulnerable version for security bug
+  #383991.

+*audacious-plugins-3.0.3 (22 Sep 2011)
+
+  22 Sep 2011; Tony Vroon <chainsaw@gentoo.org>
+  -audacious-plugins-3.0.2.ebuild, +audacious-plugins-3.0.3.ebuild,
+  metadata.xml:
+  Version bump. Ebuild improvements by Agostino "ago" Sarubbo close bugs
+  #380577, #383357 & #383649. Remove vulnerable version for security bug
+  #383991.

Security, please proceed to GLSA voting.

Comment 2 Agostino Sarubbo 2011-09-22 15:04:34 UTC

(In reply to comment #1)
> Security, please proceed to GLSA voting.

~3 is noglsa, resolved as fixed. Thanks.

Comment 3 Tim Sammut (RETIRED) 2011-11-13 15:34:15 UTC

*** Bug 390319 has been marked as a duplicate of this bug. ***

Comment 4 Tim Sammut (RETIRED) 2011-11-13 15:37:47 UTC

(In reply to comment #0)
> From original advisory, only 3.x version is affected, so there is nothing to
> stabilize.
> 

Agostino, are you sure only 3.x is affected? 

Oftentimes what is listed as "Affected" in bugs is simply the version it was first found in... And what is "Affected" in advisories is what is "Supported" by upstream.

Comment 5 Agostino Sarubbo 2011-11-14 10:59:02 UTC

(In reply to comment #4)
> Agostino, are you sure only 3.x is affected? 

Sorry for this, after mail upstream I understood that is mentioned only 3.0.1 because 2.x is no longer supported but is always vulnerable.
Maintainer approves stabilization so I'll add arches.

Comment 6 Agostino Sarubbo 2011-11-14 11:45:37 UTC

Arches, please test and mark stable:
=media-sound/audacious-3.0.3-r1
=media-plugins/audacious-plugins-3.0.3
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"

Comment 7 Agostino Sarubbo 2011-11-14 12:20:47 UTC

amd64 ok

Depends on:
Required use [...]:

x11-libs/gtk+-3.0.12-r1 [test] 
media-libs/libcanberra-0.28-r5 [gtk3] 
x11-misc/notification-daemon-0.5.0 [gnome]
virtual/notification-daemon-0 [gnome]
x11-libs/libnotify-0.7.4 [libnotify] 
x11-base/xorg-server-1.10.4-r1 [xvfb]

media-plugins/audacious-plugins-3.0.3 [libnotify] 
media-sound/audacious-3.0.3-r1 [xvfb]

~amd64 ok

amd64: pass

Comment 10 Tony Vroon (RETIRED) 2011-11-15 08:53:47 UTC

+  15 Nov 2011; Tony Vroon <chainsaw@gentoo.org> audacious-3.1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in security bug #383991.

+  15 Nov 2011; Tony Vroon <chainsaw@gentoo.org> audacious-plugins-3.1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo &
+  Elijah "Armageddon" El Lazkani in security bug #383991.

Comment 11 Jeroen Roovers (RETIRED) 2011-11-15 15:06:09 UTC

(In reply to comment #10)
> +  15 Nov 2011; Tony Vroon <chainsaw@gentoo.org> audacious-3.1.ebuild:
> +  15 Nov 2011; Tony Vroon <chainsaw@gentoo.org> audacious-plugins-3.1.ebuild:

So we're going for 3.1 now?

Comment 12 Agostino Sarubbo 2011-11-15 15:07:45 UTC

no, already 3.0.3 is unaffected

Comment 13 Jeroen Roovers (RETIRED) 2011-11-15 16:55:47 UTC

(In reply to comment #12)
> no, already 3.0.3 is unaffected

Then why were both 3.1s marked stable for amd64?

Comment 14 Tony Vroon (RETIRED) 2011-11-15 17:48:42 UTC

(In reply to comment #13)
> Then why were both 3.1s marked stable for amd64?

Because of a significant amount of bug & stability fixes that have gone in since the 3.0 branch was closed. I do not believe that the modplug vulnerabilities in question were ever relevant to our in-tree copy, which had additional fixes applied and diverted from what upstream had put out.
However, if I am forced into an update, it might as well be one that benefits users. You are free to mark 3.0.3 instead if you disagree.

Comment 15 Jeroen Roovers (RETIRED) 2011-11-15 18:08:39 UTC

So we should do this.

Arch teams, please test and mark stable:
=media-sound/audacious-3.1
=media-plugins/audacious-plugins-3.1
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"

Comment 16 Jeroen Roovers (RETIRED) 2011-11-15 18:28:03 UTC

Stable for HPPA.

Comment 17 Paweł Hajdan, Jr. (RETIRED) 2011-12-07 13:48:23 UTC

x86 stable

Comment 18 Mark Loeser (RETIRED) 2011-12-18 22:40:24 UTC

Fails to build on ppc/ppc64; bug #383991

Comment 19 Tobias Klausmann (RETIRED) 2012-01-16 08:58:20 UTC

(In reply to comment #18)
> Fails to build on ppc/ppc64; bug #383991

ITYM bug 395213 

Also happens on Alpha, btw.

Comment 20 Tobias Klausmann (RETIRED) 2012-01-17 13:22:52 UTC

Added code to fix the linker flag bug, stable on alpha.

Comment 21 Raúl Porcel (RETIRED) 2012-02-19 15:33:11 UTC

sparc stable

Comment 22 Brent Baude (RETIRED) 2012-03-10 17:00:53 UTC

ppc done

Comment 23 Brent Baude (RETIRED) 2012-03-11 13:50:32 UTC

ppc64 done

Comment 24 Sean Amoss (RETIRED) 2012-03-11 14:44:06 UTC

Thanks, everyone. Created new GLSA request.

Comment 25 GLSAMaker/CVETool Bot 2012-03-16 11:27:51 UTC

This issue was resolved and addressed in
 GLSA 201203-14 at http://security.gentoo.org/glsa/glsa-201203-14.xml
by GLSA coordinator Sean Amoss (ackle).