Summary: | <app-misc/bb-1.3.0_rc1-r3: LZO Denial of Service and Arbitrary Code Execution through embedded code | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Yury German <blueknight> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | slyfox |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2014/q2/676 | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Yury German
2014-06-27 01:16:38 UTC
'bb' is a standalone ascii-art demo program. It does not receive lzo streams from outside, thus should not be vulnerable. Don't know which status to set. But I've unbundled lzo and pushed update anyway: > *bb-1.3.0_rc1-r3 (30 Jun 2014) > > 30 Jun 2014; Sergei Trofimovich <slyfox@gentoo.org> +bb-1.3.0_rc1-r3.ebuild: > Unbundle minilzo (bug #515286) Thanks!
>
> But I've unbundled lzo and pushed update anyway:
>
> > *bb-1.3.0_rc1-r3 (30 Jun 2014)
Thank you.
If you can remove the vulnerable version we will be all set.
> If you can remove the vulnerable version we will be all set. Sure. Done as: > 01 Jul 2014; Sergei Trofimovich <slyfox@gentoo.org> -bb-1.3.0_rc1-r2.ebuild: > Removed old version with bundled buggy lzo library (bug #515286). Maintainer(s), Thank you for cleanup! No GLSA needed as there are no stable versions. |