CVE-2010-1457 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1457): Tools/gdomap.c in gdomap in GNUstep Base before 1.20.0 allows local users to read arbitrary files via a (1) -c or (2) -a option, which prints file contents in an error message.
Is 1.20.1 ready to go stable?
CVE-2010-1620 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1620): Integer overflow in the load_iface function in Tools/gdomap.c in gdomap in GNUstep Base before 1.20.0 might allow context-dependent attackers to execute arbitrary code via a (1) file or (2) socket that provides configuration data with many entries, leading to a heap-based buffer overflow.
Well I had no problems myself (and no bugreports) on 1.20.*, so 1.20.1 can certainly go stable This will require stabling of other gnustep-base/ packages though (stable gnustep-gui-0.16.0 does not build with gnustep-base-1.20). Here is the list for the set of packages to go with 1.20: - gnustep-base/gnustep-make-2.4.0 (amd64, ppc, ppc64, sparc, x86) - gnustep-base/gnustep-base-1.20.1 (amd64, ppc, sparc, x86) - gnustep-base/gnustep-gui-0.18.0 (amd64, ppc, sparc, x86) - gnustep-base/gnustep-back-art-0.18.0 (amd64, ppc, sparc, x86) - gnustep-base/gnustep-back-xlib-0.18.0 (amd64, ppc, sparc, x86) - gnustep-base/gnustep-back-cairo-0.18.0 (amd64, x86) and the virtual for the last 3: - virtual/gnustep-back-0.18.0 (amd64, ppc, sparc, x86) Same comment as 1.20.1, I have seen no problems myself and no bugreports opened
Re-rating as per comment #2.
(In reply to comment #3) > Well I had no problems myself (and no bugreports) on 1.20.*, so 1.20.1 can > certainly go stable > > This will require stabling of other gnustep-base/ packages though (stable > gnustep-gui-0.16.0 does not build with gnustep-base-1.20). Thanks for the detailed response. Arches, please stabilise as outlined in comment #3.
amd64 stable
x86 stable
ppc64 stable (for the only package listed for ppc64 here, gnustep-make)
sparc stable
Marked ppc stable.
All arches stable, previous stable versions removed from tree
GLSA Request Filed.
This issue was resolved and addressed in GLSA 201401-12 at http://security.gentoo.org/glsa/glsa-201401-12.xml by GLSA coordinator Sergey Popov (pinkbyte).