Summary: | <dev-libs/gnulib-2019.03.17.09.24.57: Multiple vulnerabilities (CVE-2017-7476, CVE-2018-17942) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | prefix |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 714934 |
Description
Sam James
2020-03-18 03:22:42 UTC
Note that this did affect coreutils, but the affected versions are out of tree now. Vulnerability 1) https://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commit;h=9287ef2b1707e2a222f8ae776ce3785abcb16fba (fixed in coreutils 8.28) Vulnerability 2) https://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commit;h=9c3730e601b72b4478e81d3c75e06ede4cfd93bc (this is the first sync w/ gnulib after the fix, looks like first release after this was 8.31). -- Also, for vulnerability 1, a URL: https://bugzilla.redhat.com/show_bug.cgi?id=1444774 (In reply to sam_c (Security Padawan) from comment #1) > Note that this did affect coreutils, but the affected versions are out of > tree now. > Sorry, please ignore this part for now. This is not clear wrt vulnerability 2. > Vulnerability 2) > https://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commit; > h=9c3730e601b72b4478e81d3c75e06ede4cfd93bc (this is the first sync w/ gnulib > after the fix, looks like first release after this was 8.31). > Fedora: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4ZP6L5HXDOVKYTM5ELLYE64H75MT4LZR/ So it looks like this might indeed affect coreutils < 8.31. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdb4e687666320e19dd8bc2b3565b01e08e88788 commit bdb4e687666320e19dd8bc2b3565b01e08e88788 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-03-18 05:57:14 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-03-18 05:57:14 +0000 dev-libs/gnulib: remove vulnerable versions Bug: https://bugs.gentoo.org/713104 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Fabian Groffen <grobian@gentoo.org> dev-libs/gnulib/Manifest | 2 -- dev-libs/gnulib/gnulib-2016.12.21.08.39.01.ebuild | 43 ----------------------- dev-libs/gnulib/gnulib-2017.12.19.15.53.47.ebuild | 43 ----------------------- 3 files changed, 88 deletions(-) Closing because tree clean and noglsa. |