CVE-2010-0409 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0409): Buffer overflow in the GMIME_UUENCODE_LEN macro in gmime/gmime-encodings.h in GMime before 2.4.15 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via input data for a uuencode operation.
2.4.14 was never added to the tree.
We have got 2.2.x and 2.4.9 in tree, I checked the code of 2.4.9 and it seems to need the patch. Patch for 2.4.x here: http://ftp.gnome.org/pub/GNOME/sources/gmime/2.4/gmime-2.4.14-2.4.15.diff.gz 2.2.x has the issue, too, but it's a different file: gmime/gmime-utils.h:#define GMIME_UUENCODE_LEN(x) ((size_t) (((((x) + 2) / 45) * 62) + 62)) gnome, can we stable 2.4.15 and drop 2.2.x?
(In reply to comment #2) > gnome, can we stable 2.4.15 and drop 2.2.x? > It cannot be dropped yet since some apps still require it in the tree. I will try to get it backported: https://bugzilla.gnome.org/show_bug.cgi?id=614025
This security problem is solved then with the following versions: dev-libs/gmime-2.2.26 dev-libs/gmime-2.4.15
The package is being stabilized in bug 324157. ppc64 is still missing.
ppc64 now has 2.4.17 and 2.2.26 stable. Please proceed.
Thanks, everyone. GLSA request filed.
This issue was resolved and addressed in GLSA 201401-19 at http://security.gentoo.org/glsa/glsa-201401-19.xml by GLSA coordinator Sean Amoss (ackle).