Summary: | gnome-base/gnome-vfs,media-libs/libcdaudio: cdda response overflow, CAN-2005-0706 | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | normal | CC: | gnome, sascha-gentoo-bugzilla | ||||||||
Priority: | High | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | All | ||||||||||
Whiteboard: | B2 [glsa] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-03-11 22:49:54 UTC
To avoid any confusion. The above is taken from Vendor-Sec, it is NOT my work. The grip issue mentioned did not apply to our version, I haven't checked if this is also the case with libcdaudio and gnome-vfs. Created attachment 53233 [details, diff]
gnome-vfs2.patch
Created attachment 53234 [details, diff]
libcdaudio.patch
GNOME team: please patch and bump gnome-vfs gnome-vfs2.patch applies cleanly to 2.8.3-r1 or 2.8.4 so your choice for the fixed stable version. max: please patch and bump libcdaudio (note: max wasn't active since 14 weeks and package is no-herd... we might need another bumper. Masking that package would break : x11-misc/bbcd media-sound/cdcd media-plugins/mythmusic dev-perl/Audio-CD-disc-cover app-cdr/gtkcdlabel app-emacs/cdi app-cdr/disc-cover If anyone in GNOME or sound feels like patching this one... ) Created attachment 55185 [details, diff]
libcdaudio-CAN-2005-0706.patch
To help whoever will patch libcdaudio:
Attached is a patch applying cleanly to libcdaudio-0.99.10. Tested as compiling
OK.
gnome-vfs fixed versions are: gnome-vfs-2.8.4-r1 (KEYWORDS="x86 ~ppc ~alpha ~sparc ~hppa ~amd64 ~mips ~ia64 ~ppc64 ~arm") gnome-vfs-2.10.0-r1 (package.masked) Could archs please stabilise gnome-vfs-2.8.4-r1. ppc done Applied the patch to libcdaudio-0.99.10-r1 libcdaudio-0.99.10-r1 (KEYWORDS="x86 ppc ~sparc ~alpha ~hppa ~mips ~amd64 ~ia64") Could archs please stabilise this version. Arches, please test and mark stable the 2 fixed ebuilds TARGET KEYWORDS : gnome-vfs-2.8.4-r1: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86 libcdaudio-0.99.10-r1: alpha amd64 ~hppa ia64 ~mips ppc ppc64 sparc x86 stable on ppc64 sparc done. mips done Stable on alpha. amd64 is done... just waiting on ia64 eradicator/amd64: apparently gnome-vfs-2.8.4-r1 is still ~amd64... GLSA 200504-07 arm ia64 hppa : mark stable to benefit from the GLSA Stable on hppa. GNOME team: shouldn't the patch also be applied to the gnome-vfs-1.0.5 ebuild ? Or should everyone remove that affected SLOT ? Applied to gnome-vfs-1.0.5-r4, apologies for missing that one gnome-vfs-1.0.5-r4 (KEYWORDS="~x86 ~ppc ~sparc ~alpha ~hppa ~amd64 ~ia64 ~mips ~ppc64 ~arm") Koon - if only! Arches, please test and mark gnome-vfs-1.0.5-r4 stable... x86/ppc done. mips done (again) stable on ppc64 sparc done again. Alpha done. gnome-1.4 is not keyworded on amd64, so it seems that gnome-vfs-1.0.5-r4 shouldn't need to be marked stable for amd64 either. amd64 stable Ready, GLSA should be updated to include *>=1.0.5-r4 as unaffected update committed. Already stable on hppa |