Bug 694362 (CVE-2019-15903)

Comment 1 Stabilization helper bot 2019-09-14 13:59:38 UTC

An automated check of this bug failed - repoman reported dependency errors (6 lines truncated): 

> dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0) ['app-text/docbook2X']
> dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop) ['app-text/docbook2X']
> dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop/gnome) ['app-text/docbook2X']

Comment 2 Sebastian Pipping 2019-09-14 18:34:47 UTC

(In reply to Stabilization helper bot from comment #1)
> An automated check of this bug failed - repoman reported dependency errors
> (6 lines truncated): 
> 
> > dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0) ['app-text/docbook2X']
> > dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop) ['app-text/docbook2X']
> > dependency.bad dev-libs/expat/expat-2.2.8.ebuild: BDEPEND: arm64(default/linux/arm64/17.0/desktop/gnome) ['app-text/docbook2X']

Give me a second, I have an idea how to drop that dependency again...

Comment 3 Larry the Git Cow 2019-09-14 18:39:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a3857d108c142a4bf4d69df8fcf1e9d46c6b6609

commit a3857d108c142a4bf4d69df8fcf1e9d46c6b6609
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2019-09-14 18:38:29 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2019-09-14 18:38:39 +0000

    dev-libs/expat: Make use of shipped pre-compiled man page
    
    Bug: https://bugs.gentoo.org/694362
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-2.3.68, Repoman-2.3.16

 dev-libs/expat/expat-2.2.8.ebuild | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Comment 4 Sebastian Pipping 2019-09-14 18:40:23 UTC

Done :)

Comment 5 Rolf Eike Beer 2019-09-14 23:39:09 UTC

hppa/sparc stable

Comment 6 Stabilization helper bot 2019-09-15 00:02:18 UTC

An automated check of this bug succeeded - the previous repoman errors are now resolved.

Comment 7 Aaron Bauman (RETIRED) 2019-09-15 03:51:27 UTC

arm64 stable

Comment 8 Agostino Sarubbo 2019-09-16 07:56:30 UTC

x86 stable

Comment 9 Agostino Sarubbo 2019-09-16 07:57:36 UTC

amd64 stable

Comment 10 Sergei Trofimovich (RETIRED) 2019-09-16 22:10:40 UTC

ia64/ppc/ppc64 stable

Comment 11 Agostino Sarubbo 2019-09-20 12:10:17 UTC

s390 stable

Comment 12 Matt Turner 2019-09-21 01:00:27 UTC

alpha stable

Comment 13 Thomas Deutschmann (RETIRED) 2019-09-24 11:39:40 UTC

New GLSA request filed.

Comment 14 Mikle Kolyada (RETIRED) 2019-09-26 20:03:05 UTC

arm stable

Comment 15 Thomas Deutschmann (RETIRED) 2019-10-25 11:28:47 UTC

@ maintainer(s): Please cleanup and drop <dev-libs/expat-2.2.8!

Comment 16 Larry the Git Cow 2019-10-26 10:44:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a865e40bcced3a011bfaf0f48e8e3ca24720121

commit 8a865e40bcced3a011bfaf0f48e8e3ca24720121
Author:     Sebastian Pipping <sping@gentoo.org>
AuthorDate: 2019-10-26 10:43:19 +0000
Commit:     Sebastian Pipping <sping@gentoo.org>
CommitDate: 2019-10-26 10:44:11 +0000

    dev-libs/expat: Remove vulnerable
    
    Bug: https://bugs.gentoo.org/694362
    Signed-off-by: Sebastian Pipping <sping@gentoo.org>
    Package-Manager: Portage-2.3.68, Repoman-2.3.16

 dev-libs/expat/Manifest           |  2 -
 dev-libs/expat/expat-2.2.6.ebuild | 97 ---------------------------------------
 dev-libs/expat/expat-2.2.7.ebuild | 96 --------------------------------------
 3 files changed, 195 deletions(-)

Comment 17 GLSAMaker/CVETool Bot 2019-11-25 00:19:28 UTC

This issue was resolved and addressed in
 GLSA 201911-08 at https://security.gentoo.org/glsa/201911-08
by GLSA coordinator Aaron Bauman (b-man).