Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 222823 - net-libs/gnutls < 2.2.5 Multiple vulnerabilities GNUTLS-SA-2008-1 (CVE-2008-{1948,1949,1950})
Summary: net-libs/gnutls < 2.2.5 Multiple vulnerabilities GNUTLS-SA-2008-1 (CVE-2008-{...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
URL: http://article.gmane.org/gmane.comp.e...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-05-19 15:22 UTC by Arttu Valo
Modified: 2020-04-09 06:40 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arttu Valo 2008-05-19 15:22:17 UTC
GNUTLS-SA-2008-1 reported vulnerabilities have been patched in GnuTLS version 2.2.4 released today.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-19 15:31:31 UTC
Thanks for reporting.

Maintainer, please bump.
Comment 2 John Brooks 2008-05-20 00:01:39 UTC
Should be dealt with quickly; there are three seperate remotely triggerable (prior to authentication) crash bugs fixed in this release, and at least two of them will affect almost any server application using GnuTLS. Should update to 2.2.5 rather than 2.2.4 - it fixes an issue introduced when fixing these vulnerabilities.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-05-20 02:18:23 UTC
It is currently unclear whether these bugs could be exploited to execute arbitrary code, so until that is clear, we should handle it as A1.

dragonheart, since alonbl unfortunately is retiring, can you bump this package?
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-05-20 11:53:27 UTC
https://www.cert.fi/haavoittuvuudet/advisory-gnutls.html
Comment 5 Daniel Black (RETIRED) gentoo-dev 2008-05-20 13:41:34 UTC
+gnutls-2.2.3.ebuild
Comment 6 Daniel Black (RETIRED) gentoo-dev 2008-05-20 14:12:38 UTC
(In reply to comment #5)
> +gnutls-2.2.3.ebuild
> 
er - +gnutls-2.2.5.ebuild :-)
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2008-05-20 14:29:01 UTC
Which should go stable, then?
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2008-05-20 14:37:04 UTC
Arches, please test and mark stable:
=net-libs/gnutls-2.2.5
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 release s390 sh sparc x86"
Comment 9 Jeroen Roovers gentoo-dev 2008-05-20 15:20:13 UTC
Might help to put a copy in distfiles-local quickly.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-05-20 15:35:13 UTC
(In reply to comment #9)
> Might help to put a copy in distfiles-local quickly.

Done. The josefsson.org is incredibly slow.
Comment 11 Jeroen Roovers gentoo-dev 2008-05-20 16:02:47 UTC
Stable for HPPA.
Comment 12 franky 2008-05-20 17:50:42 UTC
guys, there's somthing wrong with the configure options in gnutls-2.2.x!

---snip----
local myconf
        use bindist && myconf="--disable-lzo" || myconf="$(use_enable lzo)"
---snip----

--disable-lzo should be --without-lzo, otherwise it's a UNRECOGNIZED option,
and (use_enable lzo) should be (use_with lzo).

Shall i open a new bug report? Just discovered the issue.

FranKY
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-05-20 19:08:43 UTC
alpha/ia64/sparc/x86 stable.

Franz, please open a new bug.
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2008-05-20 19:16:07 UTC
Thanks for spotting this Franz:

./configure --prefix=/usr --host=powerpc64-unknown-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --without-included-opencdk --with-zlib --with-lzo --enable-nls --disable-guile --disable-gtk-doc --enable-lzo --libdir=/usr/lib64 --build=powerpc64-unknown-linux-gnu
configure: WARNING: Unrecognized options: --enable-lzo

the error is from the redundant entrys --enable-lzo and --with-lzo.

src_compile() logic is broken. it does first "use bindist && myconf="--disable-lzo" || myconf="$(use_enable lzo)"" and then "econf [...] $(use_with lzo)"

I removed the redundant one after econf and changed use_enable to use_with in the bindist line. I also changed --disable-lzo to --without-lzo.

ppc64 stable by the way.
Comment 15 Richard Freeman gentoo-dev 2008-05-21 15:11:53 UTC
amd64 stable
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-21 16:21:49 UTC
ppc stable
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-05-21 21:57:51 UTC
GLSA 200805-20
Comment 18 Peter Volkov (RETIRED) gentoo-dev 2008-05-22 10:12:38 UTC
Fixed in release snapshot.