Summary: | <sys-cluster/libqb-1.0.5: insecure treatment of IPC (temporary) files (CVE-2019-12779) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | cluster |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/gentoo/pull/13746 https://bugs.gentoo.org/show_bug.cgi?id=704514 |
||
Whiteboard: | B1 [glsa+ cve] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2019-11-11 18:06:40 UTC
The https://github.com/gentoo/gentoo/pull/13746.patch contains a bump to libqb-1.0.5 [PATCH 3/3]. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd35a6d8e2110d67918cb5cfff48d234ceb2c12e commit fd35a6d8e2110d67918cb5cfff48d234ceb2c12e Author: Wim Muskee <wimmuskee@gmail.com> AuthorDate: 2019-11-23 20:40:56 +0000 Commit: Alexys Jacob <ultrabug@gentoo.org> CommitDate: 2019-12-11 17:08:30 +0000 sys-cluster/libqb: version bump to 1.0.5 Bug: https://bugs.gentoo.org/699860 Signed-off-by: Wim Muskee <wimmuskee@gmail.com> Signed-off-by: Alexys Jacob <ultrabug@gentoo.org> sys-cluster/libqb/Manifest | 1 + sys-cluster/libqb/libqb-1.0.5.ebuild | 52 ++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7e5e69bf829c1d7972ad069d415f24937417ffa4 commit 7e5e69bf829c1d7972ad069d415f24937417ffa4 Author: Sebastian Pipping <sping@gentoo.org> AuthorDate: 2020-01-02 21:38:41 +0000 Commit: Sebastian Pipping <sping@gentoo.org> CommitDate: 2020-01-02 21:44:12 +0000 sys-cluster/libqb: 1.9.0 Bug: https://bugs.gentoo.org/704514 Bug: https://bugs.gentoo.org/699860 Signed-off-by: Sebastian Pipping <sping@gentoo.org> Package-Manager: Portage-2.3.84, Repoman-2.3.20 sys-cluster/libqb/Manifest | 1 + sys-cluster/libqb/libqb-1.9.0.ebuild | 62 ++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) Please note that the link magic in libqb 1.0.5 causes link errors with dependees (see bug #704514) so some users may have a hard time getting off vulnerable libqb 1.0.1. There is 1.0.9 in tree now, I hope that helps this path. (In reply to Sebastian Pipping from comment #4) > [..] There is 1.0.9 in tree now, [..] 1.9.0, sorry. (In reply to Sebastian Pipping from comment #5) > (In reply to Sebastian Pipping from comment #4) > > [..] There is 1.0.9 in tree now, [..] > > 1.9.0, sorry. Let's call this the stable candidate, and do it shortly unless somebody objects. hppa stable x86 stable ppc64 stable Unable to check for sanity:
> no match for package: sys-cluster/libqb-1.9.0
Both amd64 and ppc have latest version stable. Unable to check for sanity:
> no match for package: sys-cluster/libqb-1.9.0
Dropping bug 720910 which did not block stabilization. New GLSA request filed. This issue was resolved and addressed in GLSA 202107-03 at https://security.gentoo.org/glsa/202107-03 by GLSA coordinator John Helmert III (ajak). |