Summary: | app-misc/lcdproc - remote overflow - all versions | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Florian Schilhabel (RETIRED) <ruth> |
Component: | GLSA Errors | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | reenoo |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Florian Schilhabel (RETIRED)
2004-04-09 06:22:52 UTC
Version bumped and patch added, could somebody please mark these as stable on X86 and AMD64? Thanks! rootshell : In fact you should use Product = Gentoo Linux and Component = Security for all vulnerabilities entries. We set it to GLSA when the fix is ready :) Setting it back to Gentoo Linux/Security and accept it as ASSIGNED Severity > critical as this is a C1. Stable on AMD64. @Koon: didn't know that - sorry... ;-) so long rootshell Bump: Still waiting for stable on x86 on app-misc/lcdproc-0.4.4-r1.ebuild. -K Stable on x86 app-misc/lcdproc-0.4.4-r1 stable on all platforms Ready for a GLSA It would be nice if "security advisories" were checked before patches are committed. The issues reported are valid. However, the patch provided fails to fix one issues and doesn't even try to fix another one mentioned. I've fixed the issues upstream and released 0.4.5. It doesn't contain any other changes and should be safe to commit. FWIW the exploit is not remotely exploitable with the default configuration as shipped with the ebuild. See a corrected advisory here: http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html Rene: Thanks for the heads-up. We rely on community bug submission for vulnerability feed and we didn't see any upstream version patching these issues, that's why we committed the (partial) fix. Obviously we should be more careful on upstream status. Tim: Could you remove the patch and bump the ebuild to 0.4.5 ? -K GLSA 200404-19. |