JOGL 1.1.1a was released a year ago to resolve a critical buffer overflow in JOGL 1.1.1, yet the overlay is still using JOGL 1.1.1. Reproducible: Didn't try Steps to Reproduce: I posted about the buffer overflow in bug #143019 about two weeks ago, but nothing was done with it between then and now, so I wanted to expedite the process. I tried fixing this myself, but I had some difficulties, so I consulted with Betelgeuse in #gentoo-java. I was able to figure out how to fix this with his help. A simple revision bump of the dev-java/jogl-1.1.1 ebuild will not work because the version number is hard coded in the download url. Fixing that causes a compilation error because the older version of gluegen does not work with the newer version of jogl. Bumping gluegen to match the version bundled with the newer version of jogl enabled jogl-1.1.1a to build, but it lead me to discover that the gluegen version numbering in portage differs from upstream. According to upstream's SVN, the bundled gluegen with jogl 1.1.1 is version 1.0b06 and the bundled gluegen with jogl 1.1.1a is version 1.0b06a: https://gluegen.dev.java.net/source/browse/gluegen/tags/ I recommend deleting the existing jogl and gluegen ebuilds in portage and replacing them with proper ebuilds for jogl-1.1.1a and gluegen-1.0b06a.
I forgot to mention that there are currently two ebuilds for gluegen in portage, dev-java/gluegen-20080421 and dev-java/gluegen-20090509. dev-java/gluegen-20080421 should have been called dev-java/gluegen-1.0b06 while dev-java/gluegen-20090509 is a svn screenshot of gluegen between dev-java/gluegen-1.0b06 and dev-java/gluegen-1.0b06a. It uses a different ebuild file than the current dev-java/gluegen-20080421 and fails to build properly. Deleting the dev-java/gluegen-20090509 ebuild file and revision bumping dev-java/gluegen-20080421 to dev-java/gluegen-20090509 will enable dev-java/gluegen-20090509 to be built and installed, but having it installed causes build failures in both dev-java/jogl-1.1.1 and dev-java/jogl-1.1.1a. I would also like to recommend that dev-java/gluegen-20080421 be used as a basis for dev-java/gluegen-1.0b06.
ping, any progress here?
(In reply to comment #2) > ping, any progress here? Bumped jogl to 2.0_rc8 and dropped KEYWORDS on 1.1.1. How do you want to proceed from here?
Science overlay fixed: + 03 Jan 2014; Justin Lecher <jlec@gentoo.org> -jogl-1.1.1.ebuild, + +jogl-1.1.1a.ebuild: + Bump away from vulnerable version, #330267 +
commit 7335188 (HEAD, master) Author: Patrice Clement <monsieurp@gentoo.org> Date: Fri Oct 23 15:15:12 2015 +0000 dev-java/jogl: Removing from overlay. Fixes bug 330267. Signed-off-by: Patrice Clement <monsieurp@gentoo.org> delete mode 100644 dev-java/jogl/Manifest delete mode 100644 dev-java/jogl/files/1.1.0/fix-solaris-compiler.patch delete mode 100644 dev-java/jogl/files/1.1.0/uncouple-gluegen.patch delete mode 100644 dev-java/jogl/jogl-1.1.1.ebuild delete mode 100644 dev-java/jogl/jogl-2.0_rc8-r1.ebuild delete mode 100644 dev-java/jogl/metadata.xml There's a MUCH up-to-date and looked-after version sitting in the Science Overlay. https://gitweb.gentoo.org/proj/sci.git/tree/dev-java/jogl Consider pulling this one from one. Closing this bug.
