Summary: | <dev-libs/libofx-0.9.14: Memory corruption in the .SVG parsing functionality (CVE-2017-2920) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | maintainer-needed |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0427 | ||
Whiteboard: | B2 [noglsa cve] | ||
Package list: |
dev-util/gengetopt-2.23
dev-cpp/libxmlpp-2.40.1
dev-libs/libofx-0.9.14-r1
|
Runtime testing required: | Yes |
Bug Depends on: | |||
Bug Blocks: | 631304, 636062, 680098 |
Description
Thomas Deutschmann (RETIRED)
2018-08-05 23:58:02 UTC
Fixed in >=0.9.12 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=451fc2c8ff8cb638785cb2a51d722da9e35700e3 commit 451fc2c8ff8cb638785cb2a51d722da9e35700e3 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-18 02:06:31 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-08-18 02:13:31 +0000 dev-libs/libofx: bump package * non-maintainer security bump * drop PPC/PPC64 keywords due to new dep on dev-util/gengetopt * move from autotools-utils to autotools eclass * bump EAPI * Update HOMEPAGE and SRC_URI * move RDEPEND deps to DEPEND where they belong Bug: https://bugs.gentoo.org/631304 Bug: https://bugs.gentoo.org/636062 Bug: https://bugs.gentoo.org/662910 Closes: https://bugs.gentoo.org/675152 Signed-off-by: Aaron Bauman <bman@gentoo.org> dev-libs/libofx/Manifest | 1 + dev-libs/libofx/libofx-0.9.14.ebuild | 56 ++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) @arches, please stabilize. amd64 stable x86 stable Stabilization of dev-libs/libofx-0.9.14 happened too early since unfortunately there was regression. dev-libs/libofx-0.9.14 does not install /usr/share/libofx directory with required files (bug #692658). (Previous stable version dev-libs/libofx-0.9.10 installs this directory.) This regression has been fixed in dev-libs/libofx-0.9.14-r1 which now needs to be stabilized. amd64 stable x86 stable This issue was resolved and addressed in GLSA 201908-26 at https://security.gentoo.org/glsa/201908-26 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for cleanup and remaining architectures. hppa keywords dropped @ppc/ppc64, please keyword latest version of drop keywords. An automated check of this bug failed - repoman reported dependency errors (65 lines truncated):
> dependency.bad dev-libs/libofx/libofx-0.9.14-r1.ebuild: BDEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['dev-util/gengetopt']
> dependency.bad dev-libs/libofx/libofx-0.9.14-r1.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=dev-cpp/libxmlpp-2.40.1:2.6']
> dependency.bad dev-libs/libofx/libofx-0.9.14-r1.ebuild: RDEPEND: ppc(default/linux/powerpc/ppc32/17.0) ['>=dev-cpp/libxmlpp-2.40.1:2.6']
Looking good on ppc64. # cat libofx-662910.report USE tests started on Di 24. Sep 00:26:36 CEST 2019 FEATURES=' test' USE='' succeeded for =dev-libs/libofx-0.9.14-r1 USE='-static-libs' succeeded for =dev-libs/libofx-0.9.14-r1 USE='static-libs' succeeded for =dev-libs/libofx-0.9.14-r1 (In reply to ernsteiswuerfel from comment #14) > Looking good on ppc64. with or without a particular version of dev-util/gengetopt...? (In reply to Andreas Sturmlechner from comment #15) > (In reply to ernsteiswuerfel from comment #14) > > Looking good on ppc64. > > with or without a particular version of dev-util/gengetopt...? With =dev-util/gengetopt-2.23. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=df284893a89f67ecc5a483f5601d5b7a3bb7ed24 commit df284893a89f67ecc5a483f5601d5b7a3bb7ed24 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-10-15 22:41:56 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-10-15 22:41:56 +0000 dev-libs/libofx: 0.9.14 ppc64 stable Thanks-to: ernsteiswuerfel <erhard_f@mailbox.org> Bug: https://bugs.gentoo.org/662910 Package-Manager: Portage-2.3.77, Repoman-2.3.17 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-libs/libofx/libofx-0.9.14-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Looking good on ppc. # cat gengetopt-662910.report USE tests started on Di 22. Okt 02:39:09 CEST 2019 FEATURES=' test' USE='' succeeded for =dev-util/gengetopt-2.23 USE='' succeeded for =dev-util/gengetopt-2.23 FEATURES=' test' USE='' succeeded for =dev-cpp/libxmlpp-2.40.1 USE='-doc' succeeded for =dev-cpp/libxmlpp-2.40.1 USE='doc' succeeded for =dev-cpp/libxmlpp-2.40.1 FEATURES=' test' USE='' succeeded for =dev-libs/libofx-0.9.14-r1 USE='-static-libs' succeeded for =dev-libs/libofx-0.9.14-r1 USE='static-libs' succeeded for =dev-libs/libofx-0.9.14-r1 The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=084225d46d960771929af249f7a9fd42c42c6dec commit 084225d46d960771929af249f7a9fd42c42c6dec Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-10-22 18:08:38 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-10-22 18:11:15 +0000 dev-libs/libofx: Drop vulnerable 0.9.10 Bug: https://bugs.gentoo.org/662910 Package-Manager: Portage-2.3.78, Repoman-2.3.17 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-libs/libofx/Manifest | 1 - dev-libs/libofx/libofx-0.9.10.ebuild | 49 ------------------------------------ 2 files changed, 50 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b034c5eeba2fbf5646f1c2c3f9755514c3e75ca commit 5b034c5eeba2fbf5646f1c2c3f9755514c3e75ca Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2019-10-22 18:07:20 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2019-10-22 18:11:14 +0000 dev-libs/libofx: 0.9.14-r1 ppc stable Thanks-to: ernsteiswuerfel <erhard_f@mailbox.org> Bug: https://bugs.gentoo.org/662910 Package-Manager: Portage-2.3.78, Repoman-2.3.17 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-libs/libofx/libofx-0.9.14-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) ppc stable. Maintainer(s), please cleanup. Cleanup was documented in the comment right above yours. Repository is clean, all done. |