Summary: | dev-libs/cxxtools : remote Denial of Service (CVE-2013-7298) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | media-tv, vdr |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/01/18/5 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=423697 | ||
Whiteboard: | B3 [cleanup/glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 423697 |
Description
Agostino Sarubbo
2014-01-19 11:47:14 UTC
bumped to cxxtools-2.2.1 stabilizing is not needed, previus versions run on ~ARCH in all attached arches anyway, i will add it to my ToDo list for stabilisation due the 30 day period thanks for reporting this... (In reply to Joerg Bornkessel from comment #1) > bumped to cxxtools-2.2.1 > > stabilizing is not needed, previus versions run on ~ARCH in all attached > arches > > anyway, i will add it to my ToDo list for stabilisation due the 30 day period > > thanks for reporting this... This is not multislot package, so we actually HAVE previous version(even if it's previous major version) in stable. And thus - it requires stabilization. So, question - is it ready for it or no? You do not have to wait 30 days, cause it's security issue, but you should check if there some breakages that major version could bring in stable tree(as usual). stable amd64 x86 done cleanup old cxxtools-2.x major release cxxtools-1.4.8 is still in the tree, because of unresolved ARCH dependency in dev-libs/tntnet ### I think there is also a securety problem on dev-libs/tntnet reported here --> http://www.tntnet.org/download/tntnet-2.2.1/Releasenotes-2.2.1.html - racing condition may result in a pthread unlock error - in some circumstances request headers are not cleared correctly and hence may occur in subsequent requests again - changing the root dir of tntnet did not work iam added for now the dev-libs/tntnet-2.2.1 please let me know, if we need also a stabilization the result from this would be, we could remove all old major releases from dev-libs/tntnet dev-libs/cxxtools The old cxxtools version doesn't even build for me currently :( Stabilizing: dev-libs/tntnet-2.2.1 dev-libs/cxxtools-2.2.1 Will fix all issues (In reply to Pacho Ramos from comment #5) > Stabilizing: > dev-libs/tntnet-2.2.1 > dev-libs/cxxtools-2.2.1 > > Will fix all issues both packages are stable now on amd64, x86 .... CVE-2013-7298 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7298): query_params.cpp in cxxtools before 2.2.1 allows remote attackers to cause a denial of service (infinite recursion and crash) via an HTTP query that contains %% (double percent) characters. @maintainers, please remove vulnerable version (1.4.8) from tree as the previous dependency issue was resolved. cleanup old, done... |