Summary: | <dev-util/nsis-2.51: privilege escalation and code execution vulnerabilities in generated NSIS installers | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | alonbl, gentoo, maintainer-needed, vapier |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1291763 | ||
Whiteboard: | ~1 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-12-16 08:24:37 UTC
Upstream bug 1125 was marked fixed in 2.50 2016-12-26. nsis-2.51 is in tree. Oh... sorry this is a security one. We should remove stable keyword from nsis and in few weeks cleanup old ebuilds. (In reply to Alon Bar-Lev from comment #3) > Oh... sorry this is a security one. > We should remove stable keyword from nsis and in few weeks cleanup old > ebuilds. The usual process is immediate stabilization unless the maintainer dictates otherwise. Such as a major code refactor etc. As there is no maintainer, we will call for stabilization. @arches, please stabilize: =dev-util/nsis-2.51 @alonbl:
the instructions to have a valid mingw env, as stated in the ebuild, fails for me.
>(chroot) vh ~ # USE='cxx' crossdev --stable --libc '[latest]' -t i686-w64-mingw32
> * You need to specify an output overlay. Please use --ov-output, or consult
> * https://wiki.gentoo.org/wiki/Overlay/Local_overlay for more details.
Do we need to update them or there is something wrong on my side?
Hi! Before we proceed, can we just drop stable keyword from this package? Thanks! (In reply to Alon Bar-Lev from comment #6) > Hi! > Before we proceed, can we just drop stable keyword from this package? > Thanks! As far as I can see there are no packages depending on it, but it will require a removal GLSA as it lose formal security tracking support. (In reply to Kristian Fiskerstrand from comment #7) > (In reply to Alon Bar-Lev from comment #6) > > Hi! > > Before we proceed, can we just drop stable keyword from this package? > > Thanks! > > As far as I can see there are no packages depending on it, but it will > require a removal GLSA as it lose formal security tracking support. So can I just remove the old ebuild? (In reply to Alon Bar-Lev from comment #8) go for it Removed. (In reply to Alon Bar-Lev from comment #10) > Removed. so does it needs stabilization or you prefer that it remanins ~arch ? (In reply to Agostino Sarubbo from comment #11) > (In reply to Alon Bar-Lev from comment #10) > > Removed. > > so does it needs stabilization or you prefer that it remanins ~arch ? yes, there was no reason to make it stable, it is to fragile anyway. the requirement of having a cross compiler installed is sufficient to reject from stable. Stable package removed and fixed unstable package is in tree. @security, please vote on the removal GLSA. Changing to unstable as the package was never intended for the stable branch. |