| Summary: | dev-embedded/bitbake: denial of service | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | embedded |
| Priority: | Normal | Keywords: | PMASKED |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2015/02/16/5 | ||
| Whiteboard: | B3 [ebuild+] | ||
| Package list: | Runtime testing required: | --- | |
Fix is in 1.26 upstream: https://github.com/openembedded/bitbake/releases @Maintainers ping. Gentoo Security Padawan ChrisADR The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ca40e7827f412c1ac0cf5c17da299599e040e4e commit 5ca40e7827f412c1ac0cf5c17da299599e040e4e Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-17 17:13:57 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-08-17 17:14:28 +0000 profiles/package.mask: mask dev-embedded/bitbake Bug: https://bugs.gentoo.org/540360 Signed-off-by: Aaron Bauman <bman@gentoo.org> profiles/package.mask | 5 +++++ 1 file changed, 5 insertions(+) bitbake-1.42.0.tar.gz Why not just version bump it? (In reply to Michael Lawrence from comment #4) > bitbake-1.42.0.tar.gz > > Why not just version bump it? If someone wants to maintain it then they can. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e28041d3c2fc03af42339e44f8696f17573a405 commit 6e28041d3c2fc03af42339e44f8696f17573a405 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-17 08:40:21 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-17 09:23:21 +0000 dev-embedded/bitbake: Remove last-rited pkg Bug: https://bugs.gentoo.org/540360 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-embedded/bitbake/Manifest | 1 - dev-embedded/bitbake/bitbake-1.17.0.ebuild | 38 ------------------------------ dev-embedded/bitbake/bitbake-9999.ebuild | 38 ------------------------------ dev-embedded/bitbake/metadata.xml | 11 --------- profiles/package.mask | 5 ---- 5 files changed, 93 deletions(-) Package is removed from repository. Not creating removal GLSA because reported vulnerability is just a local crash. |
From ${URL} : Executing "bitbake -g -u depexp <package>" when DISPLAY is not properly set causes segfault and a denial of service (through OOM) via a crafted script. Bug Report URL: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7299 Patch link (master branch): http://git.openembedded.org/bitbake/commit/?id=f35e9bd7b59c180fe9a3d9177efb57b92d9cd373 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.