Summary: | <net-p2p/transmission-3.00: Use-after-free allowing possible remote code execution (CVE-2018-10756) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | david, floppym |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/transmission/transmission/commit/2123adf8e5e1c2b48791f9d22fc8c747e974180e | ||
See Also: | https://github.com/transmission/transmission/issues/1223 | ||
Whiteboard: | B2 [glsa+ cve] | ||
Package list: |
net-p2p/transmission-3.00-r1 amd64 ppc ppc64 x86
|
Runtime testing required: | --- |
Bug Depends on: | 724786 | ||
Bug Blocks: |
Description
Sam James
2020-05-15 16:57:54 UTC
@maintainer(s), please bump to 3.00. *** Bug 718328 has been marked as a duplicate of this bug. *** Version 3.00 was tagged by a relatively new developer in the upstream community. I am waiting for upstream to provide an official release tarball, and to update their website. (In reply to Mike Gilbert from comment #3) > Version 3.00 was tagged by a relatively new developer in the upstream > community. > > I am waiting for upstream to provide an official release tarball, and to > update their website. 3.00 looks out now. You may want to look at bug 607336 while at it, if it still applies. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=01a4e92dc9136172e3ef15378790bb12cd617cb1 commit 01a4e92dc9136172e3ef15378790bb12cd617cb1 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2020-05-23 14:09:29 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2020-05-23 14:14:50 +0000 net-p2p/transmission: bump to 3.00 Closes: https://bugs.gentoo.org/607336 Bug: https://bugs.gentoo.org/723258 Signed-off-by: Mike Gilbert <floppym@gentoo.org> net-p2p/transmission/Manifest | 1 + net-p2p/transmission/transmission-3.00.ebuild | 142 ++++++++++++++++++++++++++ net-p2p/transmission/transmission-9999.ebuild | 10 +- 3 files changed, 144 insertions(+), 9 deletions(-) Let's give this version a week in ~arch before stabilizing. (In reply to Mike Gilbert from comment #6) > Let's give this version a week in ~arch before stabilizing. I was going to suggest the same thing. Quite a churn. Cheers! Unable to check for sanity:
> no match for package: net-p2p/transmission-3.00
(In reply to Mike Gilbert from comment #6) > Let's give this version a week in ~arch before stabilizing. How're we looking? Acked on IRC. ppc stable ppc64 stable x86 stable amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. ping, please cleanup ping, please cleanup This issue was resolved and addressed in GLSA 202007-07 at https://security.gentoo.org/glsa/202007-07 by GLSA coordinator Sam James (sam_c). This issue was resolved and addressed in GLSA 202007-07 at https://security.gentoo.org/glsa/202007-07 by GLSA coordinator Sam James (sam_c). |