| Summary: | <dev-lang/rust{,-bin}-1.29.0: out of bounds write | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Dirkjan Ochtman (RETIRED) <djc> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | leio, rust, toolchain |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=667648 | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: |
=dev-lang/rust-1.29.1
=dev-lang/rust-bin-1.29.1
=dev-util/cargo-0.30.0
=virtual/cargo-1.29.1
=virtual/rust-1.29.1
=sys-devel/binutils-2.30-r4
=sys-libs/binutils-libs-2.30-r4
|
Runtime testing required: | --- |
|
Description
Dirkjan Ochtman (RETIRED)
2018-09-24 12:05:58 UTC
1.29.1 is slated to be released tomorrow. I think this is ready. Please review and test. An automated check of this bug failed - the following atom is unknown: sys-devel/binutils-libs-2.30-r4 Please verify the atom list. An automated check of this bug succeeded - the previous repoman errors are now resolved. I don't see any ACKs about binutils revbump being fine to stable by their maintainers. I assume they are, BUT only 3 arches are CCed, meaning that binutils{,-libs} will lag behind on other arches once this bug is done.
As such I'm also hesitant to do them for arm64, plus we don't have rust stable, so not sure why we CCed in the first place (besides for binutils, but for that many other arches should be CCed as well)...
x86 stable Toolchain folks, do you agree with the stabilization of the newer binutils{,-libs}? Do you want to handle that here or in a separate bug?
(In reply to Dirkjan Ochtman from comment #7) > Toolchain folks, do you agree with the stabilization of the newer > binutils{,-libs}? Do you want to handle that here or in a separate bug? Same bug should be ok. Thanks for pulling those in! as-is the other arches will have lagging stable for binutils stuff now when handled here without all arches CCed, coupled with arch specifications in package list. Once this security stabilization is handled we will create a dedicated bug for the remaining architectures. amd64 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3aba8ca44bf9f3cdb6f44202206ed9fac08d6b9 commit d3aba8ca44bf9f3cdb6f44202206ed9fac08d6b9 Author: Dirkjan Ochtman <djc@gentoo.org> AuthorDate: 2018-10-05 13:09:59 +0000 Commit: Dirkjan Ochtman <djc@gentoo.org> CommitDate: 2018-10-05 13:10:59 +0000 dev-lang/rust-bin: remove old, vulnerable versions of rust Bug: https://bugs.gentoo.org/666976 Bug: https://bugs.gentoo.org/show_bug.cgi?id=662904 Signed-off-by: Dirkjan Ochtman <djc@gentoo.org> Package-Manager: Portage-2.3.49, Repoman-2.3.10 dev-lang/rust-bin/Manifest | 11 -- dev-lang/rust-bin/rust-bin-1.25.0.ebuild | 122 --------------------- dev-lang/rust-bin/rust-bin-1.28.0-r1.ebuild | 163 ---------------------------- 3 files changed, 296 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5bbd64bd5a9b84a1a33a9bbcf7b725d26d947a50 commit 5bbd64bd5a9b84a1a33a9bbcf7b725d26d947a50 Author: Dirkjan Ochtman <djc@gentoo.org> AuthorDate: 2018-10-05 13:08:58 +0000 Commit: Dirkjan Ochtman <djc@gentoo.org> CommitDate: 2018-10-05 13:10:58 +0000 dev-lang/rust: remove old, vulnerable versions of rust Bug: https://bugs.gentoo.org/show_bug.cgi?id=666976 Bug: https://bugs.gentoo.org/show_bug.cgi?id=662904 Signed-off-by: Dirkjan Ochtman <djc@gentoo.org> Package-Manager: Portage-2.3.49, Repoman-2.3.10 dev-lang/rust/Manifest | 8 -- dev-lang/rust/metadata.xml | 2 - dev-lang/rust/rust-1.25.0.ebuild | 172 ---------------------- dev-lang/rust/rust-1.28.0-r1.ebuild | 276 ------------------------------------ dev-lang/rust/rust-1.28.0.ebuild | 268 ---------------------------------- 5 files changed, 726 deletions(-) Vulnerable versions removed. |
