Summary: | Qt 4.8.6-r1 stable request (CVE-2015-1860) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Michał Górny <mgorny> |
Component: | [OLD] Keywording and Stabilization | Assignee: | Qt Bug Alias <qt> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | anton.wd, bgo, cirilloblu, cschieli, debotux, dirk.olmes, genzilla, kiselev.sg, martijn.schmidt, multilib+disabled, newchief, powerman-asdf, sven.koehler, t-mo, wasundwarum |
Priority: | Normal | Keywords: | STABLEREQ |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=543334 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 524924, 529196, 529398, 532422, 532510, 545106, 545142, 547350, 547998, 548622 | ||
Bug Blocks: | 525254, 543326, 546174 |
Description
Michał Górny
2014-11-23 20:48:23 UTC
(In reply to Michał Górny from comment #0) > Or dropping stable keywords from the only multilib revdep :). What are you talking about? (In reply to Davide Pesavento from comment #1) > (In reply to Michał Górny from comment #0) > > Or dropping stable keywords from the only multilib revdep :). > > What are you talking about? games-kids/crayon-physics is the only stable thing needing multilib Qt4. We can either stabilize Qt4 or drop stable keywords from it to make way for no-emul-linux-x86 stable systems. It's clearly too early to stabilize 4.8.6-r1, plus there are known regressions. Please drop that package to ~arch. It should have never gone stable anyway. (In reply to Davide Pesavento from comment #3) > It's clearly too early to stabilize 4.8.6-r1, plus there are known > regressions. > Please drop that package to ~arch. It should have never gone stable anyway. Just to be clear, it went stable using emul-linux-x86-qtlibs. *** Bug 545026 has been marked as a duplicate of this bug. *** *** Bug 545098 has been marked as a duplicate of this bug. *** *** Bug 545100 has been marked as a duplicate of this bug. *** I think at this point it's better to CC arches and proceed with the stabilization. Arches, please test and mark stable: dev-qt/assistant-4.8.6-r1 dev-qt/designer-4.8.6-r1 dev-qt/linguist-4.8.6-r1 dev-qt/pixeltool-4.8.6-r1 dev-qt/qdbusviewer-4.8.6-r1 dev-qt/qt3support-4.8.6-r1 dev-qt/qtbearer-4.8.6-r1 dev-qt/qtcore-4.8.6-r2 dev-qt/qtdbus-4.8.6-r1 dev-qt/qtdeclarative-4.8.6-r1 dev-qt/qtdemo-4.8.6-r1 dev-qt/qtgui-4.8.6-r4 dev-qt/qthelp-4.8.6-r3 dev-qt/qtmultimedia-4.8.6-r1 dev-qt/qtopengl-4.8.6-r1 dev-qt/qtopenvg-4.8.6-r1 dev-qt/qtphonon-4.8.6-r1 dev-qt/qtscript-4.8.6-r2 dev-qt/qtsql-4.8.6-r1 dev-qt/qtsvg-4.8.6-r1 dev-qt/qttest-4.8.6-r1 dev-qt/qttranslations-4.8.6-r1 dev-qt/qtwebkit-4.8.6-r1 dev-qt/qtxmlpatterns-4.8.6-r1 Some ebuilds have not been keyworded on certain minor arches, so on those arches the specific ebuilds can be skipped. Note that 4.8.6-r1 is especially important for amd64, because it introduces eclass-based multilib, and has multiple related fixes. Other arches may opt to wait until 4.8.7, which is expected to be released next week, and for which we will file a stable request within a month after release. (In reply to Ben de Groot from comment #9) > Arches, please test and mark stable: > > dev-qt/assistant-4.8.6-r1 > dev-qt/designer-4.8.6-r1 > dev-qt/linguist-4.8.6-r1 > dev-qt/pixeltool-4.8.6-r1 > dev-qt/qdbusviewer-4.8.6-r1 > dev-qt/qt3support-4.8.6-r1 > dev-qt/qtbearer-4.8.6-r1 > dev-qt/qtcore-4.8.6-r2 > dev-qt/qtdbus-4.8.6-r1 > dev-qt/qtdeclarative-4.8.6-r1 > dev-qt/qtdemo-4.8.6-r1 > dev-qt/qtgui-4.8.6-r4 > dev-qt/qthelp-4.8.6-r3 > dev-qt/qtmultimedia-4.8.6-r1 > dev-qt/qtopengl-4.8.6-r1 > dev-qt/qtopenvg-4.8.6-r1 > dev-qt/qtphonon-4.8.6-r1 > dev-qt/qtscript-4.8.6-r2 > dev-qt/qtsql-4.8.6-r1 > dev-qt/qtsvg-4.8.6-r1 > dev-qt/qttest-4.8.6-r1 > dev-qt/qttranslations-4.8.6-r1 > dev-qt/qtwebkit-4.8.6-r1 > dev-qt/qtxmlpatterns-4.8.6-r1 > > Some ebuilds have not been keyworded on certain minor arches, so on those > arches the specific ebuilds can be skipped. ++ dev-qt/qtchooser amd64 stable x86 stable Stable for HPPA PPC64. ppc stable CVE-2015-1860 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1860): Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted GIF image. arm stable Stable on alpha. Removed associated mask. ia64 stable sparc stable. Awesome, that was the last arch therefore we can finally close this bug. Removal of the vulnerable version(s) will be handled in bug 546174. |