Summary: | <x11-misc/shutter-0.93.1-r2: Insecure use of system() | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | trivial | CC: | graphics+disabled, hwoarang, leif | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.openwall.com/lists/oss-security/2015/09/13/2 | ||||||
Whiteboard: | ~2 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Agostino Sarubbo
2015-09-14 09:24:43 UTC
CCing treecleaners This bug was fixed a while ago (available since 0.93.1 which we have in portage tree already): https://bugs.launchpad.net/shutter/+bug/1495163/comments/4 I believe we should change mask to be instead of removing package completely: <=x11-misc/shutter-0.93.1 OK, only that version left in the tree and unmasked (this package is back to testing then... in that case, I am not sure if maintainer will want to stabilize it in the normal way or... from security team point of view this should be solved then) (In reply to Pacho Ramos from comment #3) > OK, only that version left in the tree and unmasked (this package is back to > testing then... in that case, I am not sure if maintainer will want to > stabilize it in the normal way or... from security team point of view this > should be solved then) Feeling myself a bit stupid and fooled. Tried described in this issue steps and they lead to running `xeyes` proving that 0.93.1 is actually affected by this vulnerability. Then re-read post I have linked before. It's not upstream fix - they simply released 0.93.1-1 with the patch, as seems like package is not maintained anymore. Really sorry, but seems like we either need to apply that patch as well or mask it indeed. Created attachment 444144 [details, diff]
Patch that fixes this issue
Updating summary to reflect that we don't have a fixed package in tree according to comment #4. Lets do it commit baed4e086c9d53601f7de98d165df1841c1f92dd Author: Markos Chandras <hwoarang@gentoo.org> Date: Sat Dec 10 20:13:46 2016 +0000 x11-misc/shutter: Revision bump Revision bump to include Debian patch to fix #560426 Thanks to Alexey Zapparov <ixti@member.fsf.org> Gentoo-Bug: 560426 Package-Manager: portage-2.3.3 @ Maintainer(s): Thank you Alexey for the patch and Markos for the bump. Only thing left is the removal of previous, vulnerable version. Could you please drop =x11-misc/shutter-0.93.1-r1? done |