Stack-based buffer overflow in the count_vcards function in LibVC 3, as used in Rolo, allows user-complicit attackers to execute arbitrary code via a vCard file (e.g. contacts.vcf) containing a long line. see http://osvdb.org/ref/23/23985-libvc.txt http://secunia.com/advisories/19295/ rrdep for libc: dev-libs/libvc <- app-misc/rolo mail-client/mutt-vc-query libvc does not seem to have a maintainer, it was put in the tree by rizzo, who is not with the project anymore iirc I couldn't find any sign of active developement going on for libvc/rolo/...
no herd, no maintainer - joy. Rolo is afftected, too. also has no maintainer. rizzo, if you are still around, could you fix this?
Created attachment 83245 [details, diff] libvc-003.diff I did not see a patch anywhere for this one, so I'm thinking something like this should solve the problem.
We should call for a maintainer on this one, or mask it if nobody comes
Call for maintainer posted.
Nobody cares. I vote for masking.
Anyone else cares to vote ?
well, let's mask it :( this package is not widely used, afaik.
I vote for masking it.
masked, setting severitiy to enhancement so that we dont forget about this.
You broke two packages by doing this. Please make sure you check anything that might depend on a package before you just mask it. Here's the list: mail-client/mutt-vc-query/mutt-vc-query-002.ebuild: x86(default-linux/x86/2006.0) ['dev-libs/libvc'] mail-client/mutt-vc-query/mutt-vc-query-002.ebuild: x86(default-linux/x86/no-nptl) ['dev-libs/libvc'] mail-client/mutt-vc-query/mutt-vc-query-002.ebuild: x86(default-linux/x86/no-nptl/2.4) ['dev-libs/libvc'] mail-client/mutt-vc-query/mutt-vc-query-002.ebuild: ppc(default-linux/ppc/ppc32/2006.0) ['dev-libs/libvc'] mail-client/mutt-vc-query/mutt-vc-query-002.ebuild: ~sparc(default-linux/sparc/sparc64/2006.0/2.4) ['dev-libs/libvc'] mail-client/mutt-vc-query/mutt-vc-query-002.ebuild: alpha(default-linux/alpha/2006.0) ['dev-libs/libvc'] mail-client/mutt-vc-query/mutt-vc-query-002.ebuild: alpha(default-linux/alpha/no-nptl) ['dev-libs/libvc'] mail-client/mutt-vc-query/mutt-vc-query-002.ebuild: alpha(default-linux/alpha/no-nptl/2.4) ['dev-libs/libvc'] mail-client/mutt-vc-query/mutt-vc-query-002.ebuild: ~amd64(default-linux/amd64/2006.0) ['dev-libs/libvc'] app-misc/rolo/rolo-011.ebuild: x86(default-linux/x86/2006.0) ['dev-libs/libvc'] app-misc/rolo/rolo-011.ebuild: x86(default-linux/x86/no-nptl) ['dev-libs/libvc'] app-misc/rolo/rolo-011.ebuild: x86(default-linux/x86/no-nptl/2.4) ['dev-libs/libvc'] app-misc/rolo/rolo-011.ebuild: ppc(default-linux/ppc/ppc32/2006.0) ['dev-libs/libvc'] app-misc/rolo/rolo-011.ebuild: sparc(default-linux/sparc/sparc64/2006.0/2.4) ['dev-libs/libvc'] app-misc/rolo/rolo-011.ebuild: alpha(default-linux/alpha/2006.0) ['dev-libs/libvc'] app-misc/rolo/rolo-011.ebuild: alpha(default-linux/alpha/no-nptl) ['dev-libs/libvc'] app-misc/rolo/rolo-011.ebuild: alpha(default-linux/alpha/no-nptl/2.4) ['dev-libs/libvc'] app-misc/rolo/rolo-011.ebuild: amd64(default-linux/amd64/2006.0) ['dev-libs/libvc'] app-misc/rolo/rolo-011.ebuild: amd64(default-linux/amd64/2006.0/no-multilib) ['dev-libs/libvc'] Thanks
Mhh, and what to do now? Should I mask the other packages, too - or should I bump libvc?
I would just send a notice to g-dev@ that the other packages must be masked as well due to the libvc mask. Just ask for someone to step up for those as well. (all three programs are related anyway)
(In reply to comment #12) > I would just send a notice to g-dev@ that the other packages must be masked as > well due to the libvc mask. Just ask for someone to step up for those as well. > (all three programs are related anyway) I'd let them all die, neither of them has seen an upstream release for 3 years, dead stuff.
Mail to -dev sent, thanks
Created attachment 88693 [details] libvc-003-r1.ebuild I use rolo, I have tested the patch and it seems that it works. Here is the ebuild. (I will be annoyed if this ebuild disappears)
Created attachment 88695 [details, diff] patch
I added Cedric Kriers ebuild to the tree with some cosmetic modifications. Thanks Cedric :)
I think this ebuilds can be unmasked now : dev-libs/libvc mail-client/mutt-vc-query app-misc/rolo
It would certainly be nicer if we actually had a maintainer for the package otherwise we're just stuck again next time.
(In reply to comment #19) > It would certainly be nicer if we actually had a maintainer for the package > otherwise we're just stuck again next time. cedk, are you interested?
I'm no more intersted in the app because upstream didn't respond.
# Stefan Cornelius <dercorny@gentoo.org> (01 Jun 2006) # masking because of security bug #127757 dev-libs/libvc mail-client/mutt-vc-query app-misc/rolo These things have been masked for quite some time. Someone want to give them the boot?
treecleaners, please kill this bitrot. Thanks.
drac@unique ~/gentoo-x86/profiles $ cvs ci -m "Removed libvc, rolo, mutt-vc-query for bug 127757." /var/cvsroot/gentoo-x86/profiles/package.mask,v <-- package.mask new revision: 1.8595; previous revision: 1.8594 Mailing the commit message...
Oops, I shouldn't be closing security@ bugs.
This package is masked since 2006-06-01, but it was never maskglsa'd. I vote to close this without GLSA because of obsoleteness. Thoughts?
agreed... closing