Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 600526

Summary: <dev-libs/gnulib-2016.12.21.08.39.01: memory corruption flaw in parse_datetime() (CVE-2014-9471)
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: prefix
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 600518    

Description Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 22:12:04 UTC 
@ Maintainer(s): Please do another snapshot release. The vulnerability was fixed in http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=a10acfb1d2118f9a180181d3fed5399dbbe1df3c so you should be safe when you bump at least to >=dev-libs/gnulib-20140226 ...
Comment 1 Fabian Groffen gentoo-dev 2016-12-21 07:45:57 UTC 
I just pushed out 2016.12.21.08.39.01.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-23 01:18:47 UTC 
@ Maintainer(s): Thanks for the bump. Please also remove the vulnerable versions, i.e. drop

=dev-libs/gnulib-2013.10.28.22.33.52
=dev-libs/gnulib-2009.03.03.14.07.45-r1

(or apply a mask indicating a security problem).
Comment 3 Fabian Groffen gentoo-dev 2016-12-23 07:22:34 UTC 
My bad, should've removed the old versions immediately.  Done now.