Bug 648954 (CVE-2017-18201)

Comment 1 Thomas Deutschmann (RETIRED) 2018-02-27 15:14:43 UTC

Note that the patch was actually commit https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734.

It is present in v2.0.0 which is already available in Gentoo repository.


@ Maintainer(s): Can we stabilize =dev-libs/libcdio-2.0.0?

>=libcdio-1.0 had incompatible changes in API, and not all reverse dependencies have been fixed yet (bug 638682, bug 641078, bug 641470).
Better to backport that simple one-line fix to older version.

I assume that both commits are needed:
https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=f6f9c48fb40b8a1e8218799724b0b61a7161eb1d
https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734

Comment 4 Aaron Bauman (RETIRED) 2018-04-08 21:50:43 UTC

What's the way forward here?  Do the maintainers want to backport the patch?

Comment 5 Andreas Sturmlechner 2018-04-08 22:19:20 UTC

Adding =media-video/vcdimager-2.0.1 to the list as it should be stabilised in lockstep.

Comment 6 Aaron Bauman (RETIRED) 2018-11-29 21:43:21 UTC

@arches, please stabilize.

Comment 7 Mikle Kolyada (RETIRED) 2018-11-30 20:28:47 UTC

*** Bug 672230 has been marked as a duplicate of this bug. ***

Comment 8 Andreas Sturmlechner 2018-12-01 19:12:56 UTC

*** Bug 671964 has been marked as a duplicate of this bug. ***

media-libs/xine-lib broken too #672458

Comment 10 Agostino Sarubbo 2018-12-04 11:57:12 UTC

amd64 stable

Comment 11 Thomas Deutschmann (RETIRED) 2018-12-07 02:42:24 UTC

x86 stable

Comment 12 Rolf Eike Beer 2018-12-15 14:17:36 UTC

sparc stable

Comment 13 Markus Meier 2018-12-18 21:06:52 UTC

arm stable

Comment 14 Aaron Bauman (RETIRED) 2019-03-24 19:49:44 UTC

Depends removed.  This has since been stabilized.

Comment 15 Aaron Bauman (RETIRED) 2019-03-24 20:11:27 UTC

(In reply to Aaron Bauman from comment #14)
> Depends removed.  This has since been stabilized.

nvm.  I see vcdimager which was not stabilized due to test failures.  Why the dependency and stabilization together if it wasn't needed...

Comment 16 Mikle Kolyada (RETIRED) 2019-04-06 13:37:06 UTC

alpha stable

Comment 17 Sergei Trofimovich (RETIRED) 2019-12-25 20:53:20 UTC

ppc stable

Comment 18 Andreas Sturmlechner 2020-02-19 22:23:29 UTC

(In reply to Aaron Bauman from comment #15)
> nvm.  I see vcdimager which was not stabilized due to test failures.  Why
> the dependency and stabilization together if it wasn't needed...

Because obviously vcdimager is going to block cleanup besides being a blocker for stable user upgrades...

Comment 19 Andreas Sturmlechner 2020-02-19 22:27:16 UTC

See also bug 671964...

Comment 20 Sergei Trofimovich (RETIRED) 2020-03-02 14:13:25 UTC

ignoring test failure and declaring hppa stable

Comment 21 Agostino Sarubbo 2020-03-31 12:34:27 UTC

ia64 will pass. See https://archives.gentoo.org/gentoo-dev/message/edaadc85d7423810dd6ecfeda29cc85f

Comment 22 Thomas Deutschmann (RETIRED) 2020-04-01 19:16:23 UTC

GLSA Vote: No!

Comment 23 Yury German 2020-04-16 06:48:08 UTC

PPC64 forgot to remove themselves, version is stable in tree.

Maintainer(s), please drop the vulnerable version(s).

Comment 24 NATTkA bot 2020-04-16 06:52:06 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 25 Yury German 2020-05-21 23:51:31 UTC

Maintainer(s), it has been 30 days + since request for cleanup. 
Please drop the vulnerable version(s).

Comment 26 Sam James 2020-07-27 20:51:49 UTC

ppc64 stable

Comment 27 Larry the Git Cow 2020-07-29 00:19:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a0390ce45e2faa0dc97db10c2310a6164bf0cc2

commit 4a0390ce45e2faa0dc97db10c2310a6164bf0cc2
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-29 00:19:24 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-29 00:19:38 +0000

    dev-libs/libcdio: security cleanup
    
    Bug: https://bugs.gentoo.org/648954
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libcdio/Manifest               |  3 --
 dev-libs/libcdio/libcdio-0.93.ebuild    | 73 --------------------------------
 dev-libs/libcdio/libcdio-0.94-r1.ebuild | 73 --------------------------------
 dev-libs/libcdio/libcdio-1.1.0.ebuild   | 75 ---------------------------------
 dev-libs/libcdio/libcdio-2.0.0.ebuild   | 74 --------------------------------
 5 files changed, 298 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cce5ce922fc380cd1bde667ac65c55e253169739

commit cce5ce922fc380cd1bde667ac65c55e253169739
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-07-29 00:19:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-29 00:19:38 +0000

    media-video/vcdimager: cleanup for libcdio security cleanup
    
    Bug: https://bugs.gentoo.org/648954
    Package-Manager: Portage-3.0.1, Repoman-2.3.23
    Signed-off-by: Sam James <sam@gentoo.org>

 media-video/vcdimager/Manifest                     |   1 -
 .../files/vcdimager-0.7.24-libcdio-1.0.0.patch     | 230 ---------------------
 media-video/vcdimager/vcdimager-0.7.24.ebuild      |  61 ------
 3 files changed, 292 deletions(-)