Array index error in Jan Eric Kyprianidis lib3ds 1.x, as used in
Google SketchUp 7.x before 7.1 M2, allows remote attackers to cause a
denial of service (memory corruption) or possibly execute arbitrary
code via crafted structures in a 3DS file, probably related to mesh.c.
According to http://secunia.com/advisories/38185/ this is fixed in version 2.0 Release Candidate 1, which is tagged in the upstream repo: http://code.google.com/p/lib3ds/source/browse/#svn%2Ftags%2Flib3ds-2.0.0-rc1
Maintainers, please provide an updated ebuild for this security issue.
@games: ping, need a bump.
Security bumped. Arches, please stabilize:
Target arches: amd64 ppc ppc64 x86
Created attachment 358922 [details, diff]
=media-libs/lib3ds-2.0.0_rc1 fails compile here ~amd64 if not eutoreconf because of links in the examples i think. i attach the patch.
I couldn't reproduce that behavior here, could you please attach a full build.log?
Created attachment 358940 [details]
here it is.
Thank you. Not knowing that I killed examples directory in all source autotool files to get it built :-).
GLSA drafted and ready for review.
Maintainers, please drop the vulnerable version.
Maintainers are there any reasons we need to keep 1.3.0 around as it is still vulnerable?
Did anyone confirm that lib3ds-2 doesn't break any of the packages that use lib3ds?
@maintainers: can we clean lib3ds-1.3.0. This has been in cleanup mode for approximately 6 months. Will clean in 15 days if no response is given.
Maintainer(s), Thank you for cleanup!
This issue was resolved and addressed in
GLSA 201405-23 at http://security.gentoo.org/glsa/glsa-201405-23.xml
by GLSA coordinator Sean Amoss (ackle).