Summary: | <app-shells/bash-4.3_p48-r1: popd controlled use-after-free | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system, kfm |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2016/q4/445 | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2016-11-18 14:43:10 UTC
@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not. added upstream's fix to 4.4: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1bf1ceeb04a2f57e1e5e1636a8c288c4d0db6682 Chet seemed confident it isn't exploitable (beyond making the active shell crash/exit immediately) @ Arches, please test and mark stable: =app-shells/bash-4.4_p5-r1 Stabilization postponed on request of base-system (looks like they want to stabilize 4.4.x together with readline-7.x and aren't ready yet). I've added the fix to bash-4.3 so we (base-system) have a bit more time figuring out if readline-7.0 is ready for stabilization: commit c3d3bdc215881e2712843708c42978b7bac96ba9 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sun Dec 4 17:06:54 2016 app-shells/bash: Revbump to add popd offset overflow fix to bash-4.3 (#600174). Package-Manager: portage-2.3.2 Arches please test and mark stable =app-shells/bash-4.3_p48-r1 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd Stable on alpha. yes, we do not want to stabilize bash-4.4 this year. it needs more time to sit. amd64 stable x86 stable done the rest now (In reply to SpanKY from comment #10) > done the rest now Thanks, Mike! GLSA pending review. This issue was resolved and addressed in GLSA 201701-02 at https://security.gentoo.org/glsa/201701-02 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for cleanup. @ Maintainer(s): Please drop <app-shells/bash-4.3_p48-r1 or apply masks indicating a security problem. Cleanup PR: https://github.com/gentoo/gentoo/pull/3392 Ping: PR was closed because earlier bash versions are kept for testing reasons. Security Team Padawan ChrisADR @base-system, can we mask here? Cleanup done, closing as RESOLVED. Thank you all. |