Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 165837 - dev-libs/STLport < 5.0.3 (?) two buffer overflows (CVE-2007-0803)
Summary: dev-libs/STLport < 5.0.3 (?) two buffer overflows (CVE-2007-0803)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://sourceforge.net/project/showno...
Whiteboard: B2 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2007-02-07 21:45 UTC by Matt Drew (RETIRED)
Modified: 2007-03-06 21:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Drew (RETIRED) gentoo-dev 2007-02-07 21:45:51 UTC
http://secunia.com/advisories/24024/

Secunia says that these are present in versions < 5.0.3, but it is not at all clear if they include the 4.6 series in that statement.  Bumping to 5.0.3 looks to be the ticket.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 22:15:43 UTC
"unspecified vectors". I hate that. Is it hard to upgrade from 4.6 to 5.0 and to stabilize 5.0 ?
Comment 2 Tiziano Müller (RETIRED) gentoo-dev 2007-02-11 23:58:37 UTC
Short answer from upstream whether 4.6 is affected: "Not supported and has many bugs."

So, since STLPort-5.1 needs gcc-4* and sparc doesn't have that one yet, the only upgrade path leads to 5.0.3. Which is now in the tree.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-12 07:45:20 UTC
(In reply to comment #2)
> So, since STLPort-5.1 needs gcc-4* and sparc doesn't have that one yet, the
> only upgrade path leads to 5.0.3. Which is now in the tree.
> 

Thanks Tiziano

Hi arches, please test and mark stable STLport-5.0.3 if appropriate, thanks.
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2007-02-12 13:45:28 UTC
Doesn't seem to build without boost:

sparc-unknown-linux-gnu-g++ -pthread -fexceptions -fident  -fPIC  -fuse-cxa-atexit -mcpu=ultrasparc -mtune=ultrasparc -O2 -pipe -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE  -D_STLP_REAL_LOCALE_IMPLEMENTED -D_GNU_SOURCE -I../../stlport  -c -o obj/gcc/shared/num_put_float.o ../../src/num_put_float.cpp
In file included from ../../stlport/cmath:103,
                 from ../../src/num_put_float.cpp:84:
../../stlport/stl/_cmath.h: In function `long double abs(long double)':
../../stlport/stl/_cmath.h:229: error: `::fabsl' has not been declared
../../stlport/stl/_cmath.h: In function `long double acos(long double)':
../../stlport/stl/_cmath.h:234: error: `::acosl' has not been declared
../../stlport/stl/_cmath.h: In function `long double asin(long double)':
../../stlport/stl/_cmath.h:235: error: `::asinl' has not been declared
../../stlport/stl/_cmath.h: In function `long double atan(long double)':
../../stlport/stl/_cmath.h:236: error: `::atanl' has not been declared
../../stlport/stl/_cmath.h: In function `long double atan2(long double, long double)':
../../stlport/stl/_cmath.h:237: error: `::atan2l' has not been declared
../../stlport/stl/_cmath.h: In function `long double ceil(long double)':
../../stlport/stl/_cmath.h:238: error: `::ceill' has not been declared
../../stlport/stl/_cmath.h: In function `long double cos(long double)':
../../stlport/stl/_cmath.h:239: error: `::cosl' has not been declared
../../stlport/stl/_cmath.h: In function `long double cosh(long double)':
../../stlport/stl/_cmath.h:240: error: `::coshl' has not been declared
../../stlport/stl/_cmath.h: In function `long double exp(long double)':
../../stlport/stl/_cmath.h:241: error: `::expl' has not been declared
../../stlport/stl/_cmath.h: In function `long double fabs(long double)':
../../stlport/stl/_cmath.h:242: error: `::fabsl' has not been declared
../../stlport/stl/_cmath.h: In function `long double floor(long double)':
../../stlport/stl/_cmath.h:243: error: `::floorl' has not been declared
../../stlport/stl/_cmath.h: In function `long double fmod(long double, long double)':
../../stlport/stl/_cmath.h:244: error: `::fmodl' has not been declared
../../stlport/stl/_cmath.h: In function `long double frexp(long double, int*)':
../../stlport/stl/_cmath.h:245: error: `::frexpl' has not been declared
../../stlport/stl/_cmath.h: In function `long double ldexp(long double, int)':
../../stlport/stl/_cmath.h:247: error: `::ldexpl' has not been declared
../../stlport/stl/_cmath.h: In function `long double log(long double)':
../../stlport/stl/_cmath.h:248: error: `::logl' has not been declared
../../stlport/stl/_cmath.h: In function `long double log10(long double)':
../../stlport/stl/_cmath.h:249: error: `::log10l' has not been declared
../../stlport/stl/_cmath.h: In function `long double modf(long double, long double*)':
../../stlport/stl/_cmath.h:250: error: `::modfl' has not been declared
../../stlport/stl/_cmath.h: In function `long double pow(long double, long double)':
../../stlport/stl/_cmath.h:282: error: `::powl' has not been declared
../../stlport/stl/_cmath.h: In function `long double pow(long double, int)':
../../stlport/stl/_cmath.h:302: error: `::powl' has not been declared
../../stlport/stl/_cmath.h: In function `long double sin(long double)':
../../stlport/stl/_cmath.h:324: error: `::sinl' has not been declared
../../stlport/stl/_cmath.h: In function `long double sinh(long double)':
../../stlport/stl/_cmath.h:325: error: `::sinhl' has not been declared
../../stlport/stl/_cmath.h: In function `long double sqrt(long double)':
../../stlport/stl/_cmath.h:326: error: `::sqrtl' has not been declared
../../stlport/stl/_cmath.h: In function `long double tan(long double)':
../../stlport/stl/_cmath.h:327: error: `::tanl' has not been declared
../../stlport/stl/_cmath.h: In function `long double tanh(long double)':
../../stlport/stl/_cmath.h:328: error: `::tanhl' has not been declared
../../stlport/stl/_cmath.h: In function `long double hypot(long double, long double)':
../../stlport/stl/_cmath.h:342: error: `::hypotl' has not been declared
make: *** [obj/gcc/shared/num_put_float.o] Error 1
make: Leaving directory `/var/tmp/portage/STLport-5.0.3/work/STLport-5.0.3/build/lib'

!!! ERROR: dev-libs/STLport-5.0.3 failed.
Call stack:
  ebuild.sh, line 1546:   Called dyn_compile
  ebuild.sh, line 937:   Called src_compile
  STLport-5.0.3.ebuild, line 80:   Called die

!!! Compile failed
!!! If you need support, post the topmost build error, and the call stack if relevant.
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-02-12 17:28:02 UTC
x86 safe.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-12 19:03:49 UTC
Doesn't build on ppc:

>>> Compiling source in /var/tmp/portage/STLport-5.0.3/work/STLport-5.0.3 ...
make: Entering directory `/var/tmp/portage/STLport-5.0.3/work/STLport-5.0.3/build/lib'
In file included from ../../src/stlport_prefix.h:20,
                 from ../../src/dll_main.cpp:29:
../../stlport/stl/_config.h:179:6: error: #error "can't determine endianess"
Comment 7 Joe Jezak (RETIRED) gentoo-dev 2007-02-13 03:44:08 UTC
ppc will have to stabilize 5.1, a number of ppc bugs including the one dertobi123 mentioned are fixed in 5.1.
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2007-02-13 10:58:00 UTC
STLport-5.1.0 stable on ppc64
Comment 9 Steve Dibb (RETIRED) gentoo-dev 2007-02-13 13:49:31 UTC
amd64 stable
Comment 10 Olaf Józefowicz 2007-02-14 10:28:29 UTC
/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.1/../../../../x86_64-pc-linux-gnu/bin/ld: obj/gcc/so/dll_main.o: relocation R_X86_64_32 against `stlp_std::_Atomic_swap_struct<1>::_S_swap_lock' can not be used when making a shared object; recompile with -fPIC
obj/gcc/so/dll_main.o: could not read symbols: Bad value
collect2: ld returned 1 exit status
make: *** [obj/gcc/so/libstlport.so.5.1.0] Error 1
make: Leaving directory `/var/tmp/portage/dev-libs/STLport-5.1.0/work/STLport-5.1.0/build/lib'

!!! ERROR: dev-libs/STLport-5.1.0 failed.
Call stack:
  ebuild.sh, line 1614:   Called dyn_compile
  ebuild.sh, line 971:   Called qa_call 'src_compile'
  environment, line 3531:   Called src_compile
  STLport-5.1.0.ebuild, line 80:   Called die

!!! Compile failed
!!! If you need support, post the topmost build error, and the call stack if relevant.
!!! A complete build log is located at '/var/tmp/portage/dev-libs/STLport-5.1.0/temp/build.log'.

Portage 2.1.2-r9 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.4-r3, 2.6.18-gentoo-r6 x86_64)
=================================================================
System uname: 2.6.18-gentoo-r6 x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.12.1
Timestamp of tree: Wed, 14 Feb 2007 09:50:01 +0000
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -pipe -O2"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/terminfo"
CXXFLAGS="-march=athlon64 -pipe -O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="ftp://gentoo.po.opole.pl/"
LINGUAS="pl"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac alsa amd64 arts berkdb bitmap-fonts cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr firefox fortran gdbm gif gpm gtk gtk2 hal iconv ipv6 isdnlog java jpeg kde libg++ midi mp3 mpeg mplayer ncurses nls nptl nptlonly ogg opengl oss pam pcre pdf perl png ppds pppd python qt3 readline reflection samba session sndfile spl ssl tcl tcltk tcpd tk truetype truetype-fonts type1-fonts unicode usb vcd xine xorg xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="pl" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 11 Tiziano Müller (RETIRED) gentoo-dev 2007-02-14 18:47:36 UTC
Olaf: Please file a new bug since yours is a different issue (STLport-5.1.0 vs STLport-5.0.3).
Comment 12 Tiziano Müller (RETIRED) gentoo-dev 2007-02-14 18:56:13 UTC
@ppc, @sparc: I added patches for your archs (to hopefully solve the issues you mentioned), please re-test. Thanks!
Comment 13 Jason Wever (RETIRED) gentoo-dev 2007-02-17 22:08:17 UTC
Stable on SPARC
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-18 11:12:38 UTC
ppc stable
Comment 15 Matthias Geerdsen (RETIRED) gentoo-dev 2007-03-06 21:37:44 UTC
GLSA 200703-07

thanks everyone