Attaching patches in a moment.
Created attachment 124945 [details, diff]
Patch for issue reported by Tracey Parry of Portcullis Computer Security Ltd.
Created attachment 124947 [details, diff]
Reported by Dirk Mueller.
Caleb please advise. Do NOT commit anything yet. Instead you can attach updated ebuilds to this bug for prestable testing if needed.
both patches look mostly harmless to me. 99% of them just affect debugging output, which shouldn't matter to anyone really. The very last line on the format-warning.diff seems to affect reverseable layouts, which might cause an impact to someone who uses a right-to-left language, but I don't have any way to test that particular feature.
In short: the patches look completely fine to me.
Thx Caleb. Do you want prestable arch testing or should we just wait until the issues go public?
I don't see any fixes in here that would affect any arches at all, really, so I think we're okay to wait.
also, since qt-4.3.0 is ready for a stablization request for the arches anyway, we can just tie these patches with a normal stablization request. I'm not sure if these will work against the qt-4.2 series, but it may not be necessary to even worry about that.
The initial report for CVE-2007-3388 said to affect qt-3 only. So I guess we're going directly to stable on qt-3 once the release date is reached?
oh, didn't realize it was qt3 only. in any case, no problem going straight to stable with the patches.
Created attachment 125619 [details, diff]
Caleb, did you see any public information about this yet? Disclosure date should have been friday, I wonder wether it was postponed.
*** Bug 187465 has been marked as a duplicate of this bug. ***
this is public now, sorry for the delay.
Arches, please test and mark stable:
qt-3.3.8-r3 and qt-4.3.0-r1 (target "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86 ~x86-fbsd"
How about updating the qt.eclass as well when you throw a new qt ebuild into portage?
Currently I get circular dependency errors when updating world because 3.3.8-r3 is not listed in the QT3VERSIONS variable of qt.eclass...
Of course I mean qt3.eclass.
x86 stable and qt3.eclass has been fixed by carlo, thanks.
All looks good here. Building kdelibs against qt-3.3.8-r3 works fine.
Is there anything additional to test so that I know that the vulnerability itself is fixed?
Portage 188.8.131.52 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.5-r4, 2.6.20-gentoo-r7 x86_64)
System uname: 2.6.20-gentoo-r7 x86_64 unknown
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 02 Aug 2007 19:01:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
CFLAGS="-march=athlon64 -O2 -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon64 -O2 -pipe"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test userpriv"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="X acl aiglx aim amd64 berkdb bitmap-fonts branding cli cracklib crypt cups dri fortran gdbm gpm gtk iconv imap ipv6 isdnlog libg++ midi mmx mpeg3 mudflap ncurses nls nptl nptlonly nvidia opengl openmp pam pcre perl pppd python qt3 readline reflection session sockets spl sqlite3 sse sse2 ssl tcpd test truetype-fonts type1-fonts unicode vim xcomposite xine xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
/usr/portage/x11-libs/qt/qt-4.3.0-r1.ebuild: line 122: epatch/usr/portage/x11-libs/qt/files/0185-fix-format-strings.diff: No such file or directory
Yeah, Bug 187552... No point in stabilizing this ATM, plus it will IMO require another revbump because users silently failed to get the right patch for this issue w/ 4.3.0-r1 :(
Sorry for the typo guys, please do qt-3.3.8-r3 (if you didn't already) and qt-4.3.0-r2.
Both stable for HPPA.
GLSA 200708-16, sorry for the delay