Summary: | <dev-lang/mono-4.4.1.0: Dos and possible arbitrary code execution (CVE-2009-0689) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dotnet, jesse, mrueg, phmagic |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/12/19/3 | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=580316 https://github.com/gentoo/gentoo/pull/7792 |
||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 580316, 594200, 645904 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2015-12-21 11:44:15 UTC
There are a number of non vulnerable (but non-stable) versions in the tree. Please advise what you would like to do on this B2 vulnerability. Any updates on this? ping I don't think we need so many unstable versions. Does anybody really need anything between 4.0 and 4.3.x, considering these were never stabilized? Just for clarity, strtod.c was deleted and its functionality replaced by code imported from the reference source over a year ago. $ git log --stat --notes --follow -M -- mono/utils/strtod.c commit 1886cdc73fe5aa01cfe8bd305b21e9ea0ceb5c91 Author: Ludovic Henry <ludovic.henry@xamarin.com> Date: Wed May 13 17:20:58 2015 +0100 [referencesource] Import System.Double and System.Simple mono/utils/strtod.c | 3360 --------------------------------------------------- 1 file changed, 3360 deletions(-) (In reply to Dan Douglas from comment #4) > I don't think we need so many unstable versions. Does anybody really need > anything between 4.0 and 4.3.x, considering these were never stabilized? > > Just for clarity, strtod.c was deleted and its functionality replaced by > code imported from the reference source over a year ago. As per Dan above. Maintainers what version do you want to go Stable? @arches, please stabilize: =dev-lang/mono-4.4.0.148 @maintainer(s), 4.4.0.148 is not vulnerable, but choosing the latest version to stabilize here. Sorry... @arches, please stabilize: =dev-lang/mono-4.4.1.0 @maintainer(s), 4.4.0.148 is not vulnerable, but choosing the latest version to stabilize here. amd64 stable x86 stable arches - please complete PPC This has broken lots of reverse dependencies due to bug 580316 , if you drop older mono version before fixing them, people will simply get things completely broken without ability to downgrade as workaround :/ Pacho, we will just set the cleanup to depend on bug 580316, but we still need to have a known non-vulnerable version in the tree for those that do not have decencies issues and PPC is still not stable. ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches and Maintainer(s), Thank you for your work. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). Sorry my mistake B2 = GLSA. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s). This bug isn't ready yet. v2.10.x is still vulnerable. @ Maintainer(s): Please rev bump and add https://gist.github.com/directhex/01e853567fd2cc74ed39 @Maintainers ping, mono-4.4.1.0 is stable, can you clean 2.10.9-r2? Thanks The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d020793ed31be890423115b5a25529dea0b545ef commit d020793ed31be890423115b5a25529dea0b545ef Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-04-03 18:50:33 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-04-03 19:19:46 +0000 dev-lang/mono: drop vulnerable. use HTTPS. Bug: https://bugs.gentoo.org/568988 Package-Manager: Portage-2.3.28, Repoman-2.3.9 Closes: https://github.com/gentoo/gentoo/pull/7792 dev-lang/mono/Manifest | 1 - dev-lang/mono/mono-2.10.9-r2.ebuild | 265 ----------------------------------- dev-lang/mono/mono-4.4.1.0.ebuild | 4 +- dev-lang/mono/mono-4.6.1.5-r1.ebuild | 6 +- dev-lang/mono/mono-4.6.1.5.ebuild | 6 +- dev-lang/mono/mono-4.8.0.425.ebuild | 6 +- dev-lang/mono/mono-4.8.0.495.ebuild | 6 +- dev-lang/mono/mono-4.8.0.524.ebuild | 6 +- dev-lang/mono/mono-5.4.1.6.ebuild | 6 +- 9 files changed, 20 insertions(+), 286 deletions(-)} Tree is clean. No PoC for ACE/RCE. Downgraded. GLSA Vote: No |