Summary: | <www-client/firefox-bin-10.0.2 , <mail-client/thunderbird-bin-10.0.2 , <www-client/seamonkey-bin-2.7.2 : libpng integer overflow (CVE-2011-3026) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | KinG-InFeT <king.infet> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | ainsaar, pacho | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026 | ||||||
See Also: | http://bugs.gentoo.org/show_bug.cgi?id=404197 | ||||||
Whiteboard: | A2 [glsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
KinG-InFeT
2012-02-18 18:49:14 UTC
Mozilla, is this bug valid for Gentoo, or do we always use the system libpng? We have bug 404197 for libpng itself. Thanks. -bin packages are only effected, we use system png in source builds. All the relevant -bin packages are in the tree. Should we work on getting them stabilised and turn this into a STABLEREQ bug? (In reply to comment #3) > All the relevant -bin packages are in the tree. Should we work on getting them > stabilised and turn this into a STABLEREQ bug? Yep, thank you. Arches, please test and mark stable: =www-client/firefox-bin-10.0.2 Target keywords : "amd64 x86" =mail-client/thunderbird-bin-10.0.2 Target keywords : "amd64 x86" =www-client/seamonkey-bin-2.7.2 Target keywords : "amd64 x86" Created attachment 302671 [details]
QA Notices
amd64: Attached above are the QA notices for all three packages. Can those be fixed on the fly ? Other than that, packages pass. x86 stable (In reply to comment #6) > amd64: > > Attached above are the QA notices for all three packages. Can those be fixed on > the fly ? > > Other than that, packages pass. Since they're built by Mozilla and not any Gentoo team, AFAIK, they can't be fixed. (In reply to comment #8) > (In reply to comment #6) > > amd64: > > > > Attached above are the QA notices for all three packages. Can those be fixed on > > the fly ? > > > > Other than that, packages pass. > > Since they're built by Mozilla and not any Gentoo team, AFAIK, they can't be > fixed. You should be able to skip that warning setting QA_FLAGS_IGNORED variable (as I can read in "man 5 ebuild") those QA warnings should be 'hidden' in mozilla-bin ebuild with QA_DT_HASH amd64 ok QA warnings fixed. amd64: pass amd64 stable old (vulnerable) versions removed from the tree Thanks, everyone. Added to existing GLSA request. Can't this bug be closed since these package versions are no longer in the Portage tree? This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle). |