Assuming that only CVE-2007-5400 of the four vulnerabilities is relevant.
rbu@peanut /var/tmp/portage/media-libs/win32codecs-20071007-r2/work/all-20071007 $ ls -la `grep -l "real.com" *` -rwxr-xr-x 1 rbu rbu 42K 2005-02-15 20:39 cook.so -rwxr-xr-x 1 rbu rbu 76K 2002-05-22 19:05 cook.so.6.0 -rwxr-xr-x 1 rbu rbu 314K 2005-02-15 20:40 drvc.so I guess codecs in that package are just "added" and never really updated. How is that bunch of DLLs and SOs created, and is there a way to recreate it?
ping, media-video?
(In reply to comment #1) > rbu@peanut > /var/tmp/portage/media-libs/win32codecs-20071007-r2/work/all-20071007 $ ls -la > `grep -l "real.com" *` > -rwxr-xr-x 1 rbu rbu 42K 2005-02-15 20:39 cook.so > -rwxr-xr-x 1 rbu rbu 76K 2002-05-22 19:05 cook.so.6.0 > -rwxr-xr-x 1 rbu rbu 314K 2005-02-15 20:40 drvc.so > > > I guess codecs in that package are just "added" and never really updated. How > is that bunch of DLLs and SOs created, and is there a way to recreate it? > AFAIK, theyre just copies from binary distributions of the win32 software, assembled by upstream. Our only option is to pretty much dump support for win32 real codecs, which, considering how it's constantly the source of security issues, doesn't seem like such a bad idea.
(In reply to comment #3) > Our only option is to pretty much dump support for win32 real codecs, which, > considering how it's constantly the source of security issues, doesn't seem > like such a bad idea. > Moving in that actual direction now, see bug 240341 for progress. win32codecs-20071007-r3 dropped support for real (which will be moved into realcodecs package, and remain unstable), and also put a use.mask for real on the package.
media-libs/win32codecs has been package.masked for removal, see bug 468406. @Security team: Can this bug be closed, or do you still want to send a GLSA (the "B2" severity level seems to suggest so)?
Package removed.
GLSA request filed.
This issue was resolved and addressed in GLSA 201312-11 at http://security.gentoo.org/glsa/glsa-201312-11.xml by GLSA coordinator Sergey Popov (pinkbyte).