| Summary: | net-misc/sitecopy-0.13.4 using vulnerable libneon | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | enhancement | ||
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://www.openpkg.org/security/OpenPKG-SA-2004.024-neon.html | ||
| Whiteboard: | B2 [glsa?] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2004-05-20 12:16:16 UTC
No official upstream fix. I suppose we should include the neon 0.24.6 corrected files as a patch. agriffis, there is no maintainer and you were the last to act on this one : do you think you can produce a patched 0.13.4-r2 ? also cc'ing lanius since he was recently active in the changelog. Emailed the author asking for a status update. He confirmed the vulnerability and did not have any immediate plans to issue a patched version of his software that is not vulnerable. Recommend hard masking in portage and issuing a GLSA. Sent to gentoo-dev: "Re: http://bugs.gentoo.org/show_bug.cgi?id=51585 The author of that package has indicated he has no immediate plans to release a new version of his program that contains the fixes for the security vulnerability. This package also seems to be unmaintained in portage at the moment, so unless someone wants to pick up the maintainership of this package and backport the fixes to it, it will be security masked in portage in 24 hours and we'll be issuing a GLSA explaining the issue. --kurt" The masking GLSA is ready but cannot be sent until sitecopy is hard-masked. hard masked in portage. Temporary GLSA 200406-03 issued Is this patch good enough to un-mask this package? I've tested it and it appears to not ever use the libneon packaged with sitecopy (libneon/ is not compiled). If the user tries to use --nodep, econf will die.
--- sitecopy-0.13.4-r1.ebuild 2004-04-26 14:24:47.000000000 -0500
+++ sitecopy-0.13.4-r9.ebuild 2004-06-12 02:07:49.141909824 -0500
@@ -20,7 +20,8 @@
gnome? (
gnome-base/gnome-libs
=x11-libs/gtk+-1*
- )"
+ )
+ >=net-misc/neon-0.24.6"
src_compile() {
local myconf=""
@@ -41,6 +42,10 @@
&& myconf="${myconf} --enable-nls" \
|| myconf="${myconf} --disable-nls"
+ # Bug 51585, GLSA 200406-03
+ einfo "Forcing the use of the system-wide neon library (BR #51585)."
+ myconf="${myconf} --with-neon"
+
econf ${myconf} || die "econf failed"
emake || die "emake failed"
We currently lack a maintainer for this package, so evaluation could take a little while. Thank you for providing this patch ! Just for the records: The solution suggested by Kurt V. Hindenburg is now used by the FreeBSD port. http://www.freebsd.org/cgi/query-pr.cgi?pr=68461 sent mail to -dev asking for someone to take on this package. Will remove from portage in 3 days if no action. configure: using neon library 0.24.6
uses the right neon version
>>> net-misc/sitecopy-0.13.4-r2 merged.
compiled
in cvs.
x86, ppc, sparc : please package.unmask, test and mark net-misc/sitecopy-0.13.4-r2 stable. *bump* x86, ppc, sparc : please package.unmask, test and mark net-misc/sitecopy-0.13.4-r2 stable. *bump* Stable on sparc. Staying on the bug until it's removed from package mask stable on ppc Stable on x86. used sitecopy with one of my websites. setup with the website. syncronized, modified files, deleted files, moved files sync'ed with my site. All works well. GLSA part next. Er.. removing the cc for x86 would help.... *cough* no one saw that... *cough* "Stable on sparc. Staying on the bug until it's removed from package mask" Weeve: sitecopy is package.unmasked now, removing sparc from CC. Updated GLSA. Question is should we rerelease it? Good question... Information provided in that GLSA is correct but superseded by more recent information. I think we should issue an "UPDATE:"-type GLSA for these things but I also think it would confuse most users if not properly presented (it should talk about the previous state to explain the update a little more). More opinions needed. GLSA update has been decided not to be needed. Closing. Sitecopy, welcome back. |