| Summary: | net-mail/metamail format string bugs and buffer overflows | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> |
| Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | blocker | CC: | christof.schulze, net-mail+disabled, ppc, seemant, sgtphou |
| Priority: | Highest | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | ebuild using new debian patch | ||
|
Description
Carsten Lohrke (RETIRED)
2004-02-19 03:55:05 UTC
net-mail herd -- need a confirm/action on this. netmail folks? Confirmed : format string and buffer overflows : http://www.kb.cert.org/vuls/id/518518 http://www.kb.cert.org/vuls/id/513062 Already published advisories include http://www.debian.org/security/2004/dsa-449 This package is not maintained upstream. We should either drop it or apply the latest Debian package patch : http://security.debian.org/pool/updates/main/m/metamail/metamail_2.7-45woody.2.diff.gz net-mail folks ? -K it's more than two months now - do you still read the forrester study? :) net-mail was recently reorganized, so hopefully someone can take the metamail package and bump the ebuild to the latest Debian patch (see comment above) ? Thanks in advance, -K masking this package for security reasons. geez Hardmasking this packages leaves me with a broken portage: it constantly complains about not having metamail ready since sylpheed-claws has a dep on it. I don't want insecure software in portage either and don't have a solution for this as for now, but something like that should not happen! I'll try to grab the source directly which I did for the last metamail-version I have on my system too because the genpatches just did not work. You're welcome to submit an updated ebuild. Otherwise, you can also unmask the package as described in the /usr/portage/profiles/package.mask file. I'm on this, give me a few minutes Created attachment 31204 [details]
ebuild using new debian patch
Jason, thanks for the ebuild -- I'd already had one in the works with a different patch and a different tweak in it. Anyway, people, 2.7.45.3 is in portage -- Arch maintainers, please test and stabilise. arches -- please test/mark stable. Stable on alpha. Are the automake and autoconf errors that show up right after the patch expected?
* Applying metamail_2.7-45.3.diff... [ ok ]
ls: ./acinclude.m4: No such file or directory
automake: Makefile.am: required file `./NEWS' not found
automake: Makefile.am: required file `./AUTHORS' not found
automake: Makefile.am: required file `./ChangeLog' not found
FATAL ERROR: Autoconf version 2.50 or higher is required for this script
FATAL ERROR: Autoconf version 2.50 or higher is required for this script
>>> Source unpacked.
Once seemant's patch-fu was added, it now works great and spits out no errors. Stable on sparc When is the patched ebuild supposed to be supplied with the portage tree officially - any schedule yet? The masking still breaks emerge -u world when using sylpheed-claws. How ca I apply the patch? sorry I When is the patched ebuild supposed to be supplied with the portage tree officially - any schedule yet? The masking still breaks emerge -u world when using sylpheed-claws. How ca I apply the patch? sorry I´m still n00b :-/ I just found http://www.gentoo.org/doc/en/portage-manual.xml#doc_chap3_sect2 again, so now I should be able to apply the fixed ebuild. Target keywords = "x86 ppc alpha ia64 sparc s390 ~amd64 ~hppa" ppc, ia64, s390 : please mark stable Stable on s390 ppc, ia64 : please mark stable Marked ppc GLSA 200405-17 |