Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 554262

Summary: <app-text/htmldoc-1.8.29: Multiple buffer overflows
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal Flags: stable-bot: sanity-check+
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.msweet.org/blog.php?L52+Z1
Whiteboard: B3 [noglsa]
Package list:
=app-text/htmldoc-1.8.29
 Runtime testing required: ---

Description Hanno Böck gentoo-dev 2015-07-08 19:40:21 UTC 
The upstream changelog for 1.8.28 says:
SECURITY: Fixed three buffer overflow issues when reading AFM files and parsing page sizes.

The ebuild already contains a patch for an overflow, but as the changelog talks about three I assume this doesn't cover all of them.

htmldoc is currently maintainer-needed.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-02-15 10:57:14 UTC 
No corresponding CVE's.  Package may need to be considered for tree cleaning as well if it remains maintainer-needed.
Comment 2 Hanno Böck gentoo-dev 2016-04-16 14:30:30 UTC 
htmldoc 1.8.29 was committed to the tree.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 19:25:50 UTC 
@ Arches,

please test and mark stable: =app-text/htmldoc-1.8.29
Comment 4 Agostino Sarubbo gentoo-dev 2016-12-01 12:51:53 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2016-12-01 12:54:33 UTC 
x86 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-02 14:21:47 UTC 
Stable on alpha.
Comment 7 Agostino Sarubbo gentoo-dev 2017-01-11 10:38:22 UTC 
sparc stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-14 12:48:07 UTC 
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-15 15:51:58 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-17 14:26:37 UTC 
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-18 10:04:20 UTC 
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-01-19 10:40:32 UTC 
No PoC for ACE/RCE, downgraded to B3.

GLSA Vote: No

Tree is clean:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5734ce51ae989c6d907f680ede2a6e9dca75f585