Summary: | <media-gfx/icoutils-0.32.0: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ago, jstein, patrick, res, slawomir.nizio |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2017/01/08/1 | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: |
=media-gfx/icoutils-0.32.0
|
Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2017-01-09 01:41:12 UTC
from ${URL}: > It turns out that this is not enough, so upstream has issued > > http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=4fbe9222fd79ee31b7ec031b0be070a9a400d1d3 > > Could you please assign a further CVE for this follow up fix? Use CVE-2017-5331. > Furthermore I would like to ask if the following two commits from upstream, > can have as well an identifier assigned: > > http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a > http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a Yes, but because these are immediately consecutive commits, the CVE mapping may seem unusual. Use CVE-2017-5332 for all of 1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a and also the index correction in 1a108713ac26215c7568353f6e02e727e6d4b24a. In other words, the change from "entries[c]" to "entries[c-skipped]" in 1a108713ac26215c7568353f6e02e727e6d4b24a cannot have a new CVE ID because the code was never "shipped" with "entries[c]" in use. There aren't two independent problems related to establishing a maximum allowable value of the size variable. Use CVE-2017-5333 for the separate vulnerability fixed by the introduction of the "size >= sizeof(uint16_t)*2" test in 1a108713ac26215c7568353f6e02e727e6d4b24a. Further issues found in 0.31.1 incoming *** Bug 610714 has been marked as a duplicate of this bug. *** The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11af7de2cc8e6ff58ed74e58709a91a630bb4dc1 commit 11af7de2cc8e6ff58ed74e58709a91a630bb4dc1 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2017-10-29 17:39:39 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2017-10-29 17:42:14 +0000 media-gfx/icoutils: Bump to v0.32.0 Thanks to Marty Plummer for the musl build fix (bug #631360). Closes: https://github.com/gentoo/gentoo/pull/5393 Fixes: https://bugs.gentoo.org/631360 Bug: https://bugs.gentoo.org/605138 Closes: https://bugs.gentoo.org/635814 Package-Manager: Portage-2.3.13, Repoman-2.3.4 media-gfx/icoutils/Manifest | 1 + media-gfx/icoutils/icoutils-0.32.0.ebuild | 49 +++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+)} @ Arches, please test and mark stable: =media-gfx/icoutils-0.32.0 x86 stable Stable on amd64 ppc stable All supported arches stabilized. @maintainer(s), proceed to cleanup, thank you. Gentoo Security Padawan (Jmbailey/mbailey_j) This issue was resolved and addressed in GLSA 201801-12 at https://security.gentoo.org/glsa/201801-12 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for cleanup. @ Maintainer(s): Please cleanup and drop <media-gfx/icoutils-0.32.0! |