Summary: | <dev-libs/expat-2.1.0-r5: Heap-buffer-overflow (CVE-2015-1283) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | freedesktop-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://googlechromereleases.blogspot.it/2015/07/stable-channel-update_21.html | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-07-22 15:50:02 UTC
Do you have the patch? There haven't been any commits to expat upstream since 2010 as far as I can tell, and I don't have permission to access the google bug at $URL... @security, can you confirm, is this the patch in question: https://hg.mozilla.org/mozilla-central/rev/438d9e2a991a (seems that mozilla guys noticed it first) (In reply to Alexandre Rostovtsev from comment #2) > @security, can you confirm, is this the patch in question: > https://hg.mozilla.org/mozilla-central/rev/438d9e2a991a > > (seems that mozilla guys noticed it first) I have access to the Chromium bug in question and it's the same patch. See https://codereview.chromium.org/1151263010 for the Chromium patch corresponding to the bug. Thanks! Fixed in expat-2.1.0-r5 - which is ready for stabilization. +*expat-2.1.0-r5 (30 Jul 2015) + + 30 Jul 2015; Alexandre Rostovtsev <tetromino@gentoo.org> + -expat-2.1.0-r2.ebuild, -expat-2.1.0-r3.ebuild, expat-2.1.0-r4.ebuild, + +expat-2.1.0-r5.ebuild, +files/expat-2.1.0-mozilla-sanity-check-size.patch: + Fix buffer overflow (bug #555642, CVE-2015-1283, thanks to Agostino Sarubbo + and Paweł Hajdan, Jr.). Improve description. Clean out old ebuilds. (In reply to Alexandre Rostovtsev from comment #4) > Thanks! > > Fixed in expat-2.1.0-r5 - which is ready for stabilization. > Thanks for the bump. Arches, please stabilize: =dev-libs/expat-2.1.0-r5 Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 amd64 stable x86 stable Stable on alpha. sparc stable ia64 stable Stable for HPPA PPC64. arm stable ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Removed vulnerable versions. Arches and Maintainer(s), Thank you for your work. New GLSA Request filed. This issue was resolved and addressed in GLSA 201701-21 at https://security.gentoo.org/glsa/201701-21 by GLSA coordinator Aaron Bauman (b-man). |