Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 602622 (CVE-2016-9888)

Summary: <gnome-extra/libgsf-1.14.41: Null pointer dereference in tar_directory_for_file() (CVE-2016-9888)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: gnome
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2016-12-14 10:10:24 UTC
From ${URL} :

An error within the "tar_directory_for_file()" function (gsf-infile-tar.c) in GNOME Structured File Library before 1.14.41 can be exploited to trigger a 
Null pointer dereference and subsequently cause a crash via a crafted TAR file.

Upstream patch:


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Mart Raudsepp gentoo-dev 2017-01-09 22:07:14 UTC
Bug 587010 isn't a strict dependency here, I don't think. The changes are minimal and a newer libgsf can be stabled independently, even if the previous stable for an arch is only 1.14.34 by the looks of it.
Thoman already rushed and edited the atoms in the gnome-3.20 bug, but that's fine to keep - those that haven't done it yet, can then skip 1.14.40 automatically.

Please stable =gnome-extra/libgsf-1.14.41
Comment 2 Agostino Sarubbo gentoo-dev 2017-01-10 14:56:48 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-01-10 15:25:27 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-11 10:52:35 UTC
sparc stable
Comment 5 Markus Meier gentoo-dev 2017-01-13 16:57:59 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-01-15 16:04:42 UTC
ppc stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-15 22:21:00 UTC
Stable on alpha.
Comment 8 Agostino Sarubbo gentoo-dev 2017-01-17 14:40:15 UTC
ia64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-01-18 10:05:48 UTC
ppc64 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-21 12:10:01 UTC
Stable for HPPA.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 01:10:25 UTC
GLSA Vote: No

@ Maintainer(s): Please cleanup and drop <gnome-extra/libgsf-1.14.41!
Comment 12 Mart Raudsepp gentoo-dev 2017-01-30 04:58:53 UTC
cleanup done