Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 582740 (CVE-2015-7542)

Summary: <sys-libs/gwenhywfar-4.19.0: bundling of outdated and potentially insecure root certificates
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gentoo, slawomir.nizio
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa cve]
Package list:
sys-libs/gwenhywfar-4.19.0
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 640900, 644782    

Description Hanno Böck gentoo-dev 2016-05-11 09:14:59 UTC 
See
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7542

It's about bundled deprecated certificates. Ideally the package should use the system-wide certificate store, but even the latest version doesn't do that.

There's a new version 4.15.3 that I'll commit today. I'm currently trying to find out via the upstream mailing list if they intend to switch to the system wide store or keep their own store up to date.
Comment 1 Hanno Böck gentoo-dev 2016-10-31 10:31:38 UTC 
Update: upstream has fixed this in the latest beta versions. I'll wait till they become non-beta and will then update.
Comment 2 Fabian Köster 2017-08-31 08:50:51 UTC 
Gwenhywfar 4.18.0 has been released (non-beta) including the fix.
Comment 3 Larry the Git Cow gentoo-dev 2018-02-12 23:50:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82eb14efdb7e64341d631a7b9a7dfa6782a6305f

commit 82eb14efdb7e64341d631a7b9a7dfa6782a6305f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-02-12 22:44:14 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-02-12 23:50:09 +0000

    sys-libs/gwenhywfar: 4.19.0 version bump
    
    Thanks-to: Thomas Bettler <thomas.bettler@gmail.com>
    Bug: https://bugs.gentoo.org/582740
    Bug: https://bugs.gentoo.org/640900
    Closes: https://bugs.gentoo.org/644782
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 sys-libs/gwenhywfar/Manifest                 |   1 +
 sys-libs/gwenhywfar/gwenhywfar-4.19.0.ebuild | 116 +++++++++++++++++++++++++++
 sys-libs/gwenhywfar/metadata.xml             |  17 ++--
 3 files changed, 128 insertions(+), 6 deletions(-)}
Comment 4 Andreas Sturmlechner gentoo-dev 2018-02-13 00:01:03 UTC 
Let's use this bug for stabilisation after the usual testing period.
Comment 5 Andreas Sturmlechner gentoo-dev 2018-02-19 23:52:31 UTC 
In fact I would like to schedule this with kmymoney-5.0.0 for 2018-03-12 if possible.
Comment 6 Larry the Git Cow gentoo-dev 2018-04-06 00:42:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26b5e6901708132469ce69fa967a6e1d2882c484

commit 26b5e6901708132469ce69fa967a6e1d2882c484
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2018-04-06 00:38:47 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2018-04-06 00:42:00 +0000

    sys-libs/gwenhywfar: Drop vulnerable and Qt4-based
    
    Bug: https://bugs.gentoo.org/582740
    Closes: https://bugs.gentoo.org/644782
    Package-Manager: Portage-2.3.28, Repoman-2.3.9

 sys-libs/gwenhywfar/Manifest                    |  1 -
 sys-libs/gwenhywfar/gwenhywfar-4.15.3-r1.ebuild | 62 -------------------------
 sys-libs/gwenhywfar/gwenhywfar-4.15.3.ebuild    | 59 -----------------------
 3 files changed, 122 deletions(-)}
Comment 7 Andreas Sturmlechner gentoo-dev 2018-05-13 20:47:06 UTC 
ping sec
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2018-05-13 22:52:14 UTC 
GLSA Vote: No

Thanks, Andreas!