Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 109705 - media-libs/netpbm buffer overflow (CAN-2005-2978)
Summary: media-libs/netpbm buffer overflow (CAN-2005-2978)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
: 107609 (view as bug list)
Depends on:
Reported: 2005-10-18 07:04 UTC by Thierry Carrez (RETIRED)
Modified: 2005-10-21 05:14 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-10-18 07:04:56 UTC
CAN-2005-2978 :
RedHat discovered a buffer overflow in the netpbm utility pnmtopng.

Prepared ebuild should be committed direct to stable on the following archs :
alpha amd64 hppa ppc ppc64 sparc x86

Also media-libs/urt-3.1b-r1 should be pushed to ppc64 stable at the same time.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-10-18 07:05:38 UTC
*** Bug 107609 has been marked as a duplicate of this bug. ***
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-10-18 07:06:34 UTC
vapier: please commit your ebuild from bug 107609.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-10-18 08:30:28 UTC
Hm. In fact 10.29 is fixed, so we should move to that.

Calling arch testers again (sorry bout that):
Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"

Stable any >=10.29 of your liking.

Comment 4 Lares Moreau 2005-10-18 10:07:15 UTC
emerged 10.29-r1, without issue. 
this ebuild depends on media-libs/urt which is also unstable in this arch.

perhaps a bug for media-libs/urt stabilization is in order, to handle the
stablization of this dependency.
Comment 5 SpanKY gentoo-dev 2005-10-18 10:32:13 UTC
no one said 10.29-r1 needs to be the one stabilized
Comment 6 Lares Moreau 2005-10-18 10:44:31 UTC
Thierry Carrez wrote: "Hm. In fact 10.29 is fixed, so we should move to that."

is not 10.29-r1 the logical package to stabilize?
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-10-18 11:10:05 UTC
ppc and hppa done.
Comment 8 Andrej Kacian (RETIRED) gentoo-dev 2005-10-18 12:12:53 UTC
If you don't want 10.29-r1 stabilized, don't say things like "Stable any >=10.29
of your liking." (comment #3). My liking was to stabilize 10.29-r1, because
changelog entry for that revision says it contains multiple fixes.
Comment 9 SpanKY gentoo-dev 2005-10-18 13:05:32 UTC

what is logical is that you move to whatever package is the easiest or whichever
version an arch team decides on
Comment 10 Andrej Kacian (RETIRED) gentoo-dev 2005-10-18 14:04:22 UTC
Oh, so we don't care about quality now, but about having to do least possible
amount of work now? Sorry I asked then.
Comment 11 Andrej Kacian (RETIRED) gentoo-dev 2005-10-18 14:25:30 UTC
10.29 stable on x86
Comment 12 Bryan Østergaard (RETIRED) gentoo-dev 2005-10-18 16:04:41 UTC
Alpha stable.
Comment 13 Luis Medinas (RETIRED) gentoo-dev 2005-10-18 16:21:53 UTC
amd64 done
Comment 14 Brent Baude (RETIRED) gentoo-dev 2005-10-18 19:37:26 UTC
Marked 10.29 ppc64 stable
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-10-19 00:25:15 UTC
(In reply to comment #10)
> Oh, so we don't care about quality now, but about having to do least possible
> amount of work now? Sorry I asked then.

When multiple security-fixed versions are available, we (security) don't dictate
which fixed version the arch teams must choose. This is their choice to decide
which version is best fit for their arch stable tree. As long as the
vulnerability is fixed, we are ok with it. That's what vapier was trying to say
in his own words.
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2005-10-19 08:34:06 UTC
10.29 sparc stable.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-10-20 04:43:09 UTC
GLSA 200510-18
mips should mark stable to benefit from GLSA
Comment 18 Aaron Walker (RETIRED) gentoo-dev 2005-10-21 05:14:42 UTC
10.29 stable on mips.