Summary: | <net-proxy/c-icap-0.2.6: (upstream: <r1018 in trunk) - Denial of Service (CVE-2013-{7401,7402}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Petr Berestov <berestovp> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | flameeyes, net-proxy+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.osvdb.org/show/osvdb/89304 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Petr Berestov
2013-02-03 17:40:50 UTC
*** Bug 455316 has been marked as a duplicate of this bug. *** Thanks for the report, Petr. @maintainers: does the proposed patch seem reasonable? Upstream has patched this in line 299 with a slightly more intrusive approach: http://sourceforge.net/p/c-icap/code/HEAD/tree/c-icap-server/trunk/c-icap/request.c As \0 leads to false, this includes the behavior from the patch Petr suggests. This is _not_ part of their 0.2.6 release: http://sourceforge.net/p/c-icap/code/HEAD/tree/c-icap-server/tags/c_icap_0_2_6/request.c So, I have decided to bump to 0.2.6 and backport line 299 from trunk in a patch. + 08 Oct 2013; Tom Wijsman <TomWij@gentoo.org> +c-icap-0.2.6.ebuild, + +files/c-icap-0.2.6-fix-icap-parsing.patch: + Version bump to 0.2.6, patch DoS due to patching bug for security bug #455324; + removal of forced openrc dependency. Arch teams: Please stabilize net-proxy/c-icap-0.2.6, target: amd64 x86 Feel free to remove the older versions once stabilization succeeded. If you can't properly test it (I can't); please wait for flameeyes to do so, or in absence please consider to apply the patch against an earlier version then. amd64 stable Arches, please test and mark stable: =net-proxy/c-icap-0.2.6 Target keywords : "amd64 x86" Note: URL Removed from Whiteboard: http://sourceforge.net/p/c-icap/code/1018/ x86 stable GLSA Vote: Yes Maintainer(s), please drop the vulnerable version(s). YES too, request filed. Maintainer timeout, cleanup done. This issue was resolved and addressed in GLSA 201409-07 at http://security.gentoo.org/glsa/glsa-201409-07.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |