Bug 494444

Summary:

sys-libs/glibc-2.17 - multiple vulnerabilities?

Product:

Gentoo Security

Reporter:

Ulenrich <ulenrich>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED DUPLICATE

Severity:

normal

CC:

axiator, toolchain

Priority:

Normal

Version:

unspecified

Hardware:

All

OS:

Linux

Whiteboard:

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
glibc-2.17-CVE-Debian-2013-autumn.patch	none

Description Ulenrich 2013-12-16 13:16:37 UTC

Reading the Changelogs when updating my Debian-sid, 
I found these eglibc patches 
which are applicable to Gentoo glibc-2.17 just fine:

CVE-2013-4332-memalign.diff.patch
CVE-2013-4332-pvalloc.diff.patch
CVE-2013-4332-valloc.diff.patch
CVE-2013-4237.diff.patch
CVE-2013-4788-static-ptrguard.diff.patch
CVE-2013-4788-static-ptrguard-arm.diff.patch
CVE-2013-4237-alignment.diff.patch
NonCVE-findlocale-div-by-zero.diff.patch

Runs well my Gentoo~unstable having these patches.
Is it Gentoo policy to only security support the stable glibc-2.16 ?


Reproducible: Always

Comment 1 Ulenrich 2013-12-16 13:17:46 UTC

Created attachment 365468 [details, diff]
glibc-2.17-CVE-Debian-2013-autumn.patch

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2013-12-16 13:21:18 UTC


*** This bug has been marked as a duplicate of bug 484646 ***

Comment 3 Agostino Sarubbo gentoo-dev

2013-12-16 14:00:46 UTC

All CVEs you listed are filed separately as bug.

Comment 4 Ulenrich 2013-12-16 14:40:14 UTC

@Agostino 
Is the portage GLSA checker able to automaticly examine what upstream git commit to use as an epatch_user patch applicable to my special glibc-2.17 version? The Gentoo CVE bugs you mention do not specify any glibc version. Howto get these bugs information out of the bugtracker into my portage tree?