| Summary: | media-sound/grip buffer overflow | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | dopey, sound |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714 | ||
| Whiteboard: | B2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-03-09 22:47:40 UTC
We do not have the mentioned vulnerable 3.1.2 version in our tree anymore. someone responded to the bug and confirmed this in 3.2.0 as well. CC'ing sound since this is their baby. a 3.3.0 ebuild and the patch from sourceforge are now in tree The added patch was not confirmed by upstream, and is not included in their latest release 3.3.0. Although this vulnerability is highly unlikely to cause any trouble, the patch looks harmless to me, so I have no objection for keeping it in the tree. Security/Audit Team, opinions? Looks alright to me... Arches, please test and mark grip-3.3.0 stable stable on ppc64 Stable on ppc. sparc stable. stable on amd64 and x86 Stable on alpha. GLSA 200503-21 what about the vulnerable versions in the tree, 3.2.0 and 3.2.0-r1 ? shouldn't somebody remove them? Vulnerable versions are removed. Is it really appropriate to replace Grip 3.2.0 (the officially released version) with Grip 3.3.0 (an unstable development version?). Shouldn't the proper route been to backport the patch to 3.2.0? FYI, the patch (3.3.0-crashfix.patch) applies directly to 3.2.0 and solves the problem |