Summary: | app-editors/zile: Possible multiple vulnerabilities due to embedded gnulib (CVE-2017-7476, CVE-2018-17942) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | emacs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 714934 |
Description
Sam James
2020-03-26 22:59:33 UTC
The TZ code doesn't exist: zile-2.4.14 $ find -name time_rz.c zile-2.4.14 $ grep -r save_abbr zile-2.4.14 $ As for convert_to_decimal(), that code exists in lib/vasnprintf.c but is inside a big (NEED_PRINTF_LONG_DOUBLE || NEED_PRINTF_DOUBLE) preprocessor conditional in lines 329 to 1529, so it isn't compiled in: zile-2.4.14 $ grep -E 'NEED_PRINTF(_LONG)?_DOUBLE' config.h /* #undef NEED_PRINTF_DOUBLE */ /* #undef NEED_PRINTF_LONG_DOUBLE */ Double checking, the symbol isn't in the binary: $ nm -a src/zile | grep convert_to_decimal So looks like a false positive. |