Summary: | <dev-vcs/git-2.7.3-r1: buffer overflow (CVE-2016-2315) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dan, polynomial-c, robbat2, ytrezq |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2016/03/15/5 | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=601984 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-03-15 15:13:46 UTC
I'd go with =dev-vcs/git-2.7.3 but that's up for Robin to decide... +1 to stable 2.7.3 @arches, please stabilize dev-vcs/git-2.7.3 TARGET KEYWORDS = alpha, amd64, arm, hppa, ia64, ppc64, ppc, sparc, x86, arm64, s390, sh amd64 stable x86 stable ppc stable There just was a message to oss-security that 2.7.3 actually does not contain the fix: http://www.openwall.com/lists/oss-security/2016/03/16/9 The post links to patches, not sure when git will make a new release, maybe they should be backported to our ebuild. @hanno: I'm running the testsuite on the backported patch now; if it passes I'll push an -r1 and we can restart stable. @hanno: backported now. @arches, please stabilize dev-vcs/git-2.7.3-r1 TARGET KEYWORDS = alpha, amd64, arm, hppa, ia64, ppc64, ppc, sparc, x86, arm64, s390, sh Apologies for the second round of stablization; upstream didn't actually have the fix in 2.7.3. Stable for alpha/amd64/arm/ia64/ppc/ppc64/sparc/x86 Remember due the nature of the bug, it might be impossible to trigger ʀᴄᴇ on big endian machines. So such architectures might be safe. New versions of git available: 2.4.11, 2.5.5, 2.6.6, 2.7.4 which should have this security bug fixed, i.e no backports needed. Stable for HPPA. @maintainers, please cleanup vulnerable versions. Thank you. cleanup done This issue was resolved and addressed in GLSA 201605-01 at https://security.gentoo.org/glsa/201605-01 by GLSA coordinator Kristian Fiskerstrand (K_F). Fixing alias encoding. |