Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 344789 - app-emulation/vmware-server-2.0.2.203138-r1 depends on UNSAFE media-libs/libpng-1.2.44
Summary: app-emulation/vmware-server-2.0.2.203138-r1 depends on UNSAFE media-libs/libp...
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High critical
Assignee: Gentoo VMWare Bug Squashers [disabled]
URL: http://bugs.gentoo.org/show_bug.cgi?i...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-11-09 10:26 UTC by renato gallo
Modified: 2010-11-21 14:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description renato gallo 2010-11-09 10:26:21 UTC
!!! All ebuilds that could satisfy "=media-libs/libpng-1.2*" have been masked.
!!! One of the following masked packages is required to complete your request:
- media-libs/libpng-1.2.44 (masked by: package.mask)

(dependency required by "app-emulation/vmware-server-2.0.2.203138-r1" [ebuild])

Reproducible: Always

Steps to Reproduce:
1.read http://bugs.gentoo.org/show_bug.cgi?id=324153
2.mask unsafe libpng version in /etc/portage/package.mask
3.emerge -NDauv system world on a system with previously installed vmware-server

Actual Results:  
it requires UNSAFE AND DANGEROUS libpng version

Expected Results:  
it stops asking me to insert a SECURITY FLAW into my server

emerge --info
Portage 2.1.9.24 (default/linux/amd64/10.0, gcc-4.4.5, glibc-2.12.1-r3, 2.6.36-gentoo x86_64)
=================================================================
System uname: Linux-2.6.36-gentoo-x86_64-AMD_Phenom-tm-_9950_Quad-Core_Processor-with-gentoo-2.0.1
Timestamp of tree: Tue, 09 Nov 2010 10:00:01 +0000
app-shells/bash:     4.1_p9
dev-java/java-config: 2.1.11-r1
dev-lang/python:     2.5.4-r4, 2.6.6-r1, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1-r1
sys-apps/openrc:     9999
sys-apps/sandbox:    2.3-r1
sys-devel/autoconf:  2.13, 2.68
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.51.0.11
sys-devel/gcc:       4.3.3-r2, 4.4.5
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.82
virtual/os-headers:  2.6.35 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/share/config /var/bind /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="it_IT.utf@euro"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="it en no nb"                                                                                                                                                                                    
PKGDIR="/usr/portage/packages"                                                                                                                                                                           
PORTAGE_CONFIGROOT="/"                                                                                                                                                                                   
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"           
PORTAGE_TMPDIR="/var/tmp"                                                                                                                                                                                
PORTDIR="/usr/portage"                                                                                                                                                                                   
SYNC="rsync://rsync.gentoo.org/gentoo-portage"                                                                                                                                                           
USE="X Xaw3d a52 aac aalib abyss accessibility acl ads alsa amd64 amr apache2 applet archive artworkextra async asyncns authdaemond authfile authlib autoipd automount autotrace avahi ban bash-completion beagle berkdb bluetooth bookmarks branding bugzilla build bzip2 cairo capi caps case cdda cdr celt cgi cifsupcall cisco cjk clamav clamdtop cleartype cli connection-sharing consolekit contrast courier cpusets cracklib crypt ctype cups curl cvs cxx dbus deflate deskbar device-mapper dga dhclient dhcpcd dirac directfb diskio djvu dlz dmx dns dri dtmf dvb dvd dvdr dvi dynamicplugin elf elisp emacs emacs22icons emf encode esd eurephia examples exchange exif expat extensible extensions extra-tools extras faac faad fam fax fbcon fbcondecor ffmpeg fftw filter flac fontconfig fontforge fortran fpx ftp fuse fusion galago gcdmaster gd gdbm gdu geoip ggi gif gimp glitz gnome gnome-keyring gnomecd gnutls gpg gphoto2 gpm graphviz gs gsf gsm gstreamer gtk guile gzip-el h224 h281 h323 hal hdri hesiod heterogeneous howl-compat http http-forms http-server iax iconv icu idn ieee1394 ifsession imagemagick imap imlib iproute2 ipv6 ivr ixj java jbig jpeg jpeg2k json kdrive kerberos krb5 lame lasi lcms ldap ldirectord lensfun libcaca libnotify libsamplerate lid lilo lirc lm_sensors lqr lzo mad maildir management mdnsresponder-compat mfd-rewrites mhash milter ming mmap mmx mng modules mono moonlight motif mozsha1 mp3 mpeg mpi mudflap multilib mysql mysqli mythtv nagios-dns nagios-ntp nagios-ping nagios-ssh nas nat nat-transport nautilus ncurses net network networking networkmanager nls nntp nptl nptlonly nsplugin nss odbc ogg old-daemons openexr opengl openmp openntpd openssl opensslcrypt oss overlays pam parse-clocks passwordsave pbs pccts pcre pdf perl php pic pipechan pkcs11 plotutils png policykit poll pop posix ppds pppd pst pulseaudio python python3 q32 q8 qt3support qt4 quotas radius rar raw razor readline reflection resolvconf rewrite rle romio rpm rrdcgi ruby samba sample sasl sbc schroedinger sdb-ldap sdl secure-delete semantic-desktop sendmail sensord server session shaper sidebar sip sipim sitemisc slang slp smp smux snmp sockets socks5 softquota sound spamassassin speex spell spl sql sqlite srtp sse sse2 ssl startup-notification stats subversion svg swat swig sysfs syslog t1lib taglib tcl tcpd test-programs theora threads tiff timezone tk toolbar toolkit-scroll-bars tools tracker truetype tslib unicode unrar ups urandom usb utils v4l v4l2 vcd vda vdpau vhook vhosts vim-syntax vorbis vpb vroot vt vxml wav wavpack webdav webkit wicd winbind wmf wxwidgets x264 xcb xemacs xen xft xine xinerama xinetd xml xmlreader xmlrpc xmlwriter xmp xorg xpm xscreensaver xsl xv xvid xvmc zeroconf zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="cgi cgid actions alias asis auth_basic auth_digest authn_alias authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta charset_lite dav dav_fs dav_lock dbd deflate dir disk_cache dumpio env expires ext_filter file_cache filter headers ident imagemap include info log_config log_forensic logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_connect proxy_ftp proxy_http rewrite setenvif speling status substitute unique_id userdir usertrack version vhost_alias" APACHE2_MPMS="event" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse acecad aiptek elographics fpit hyperpen joystick mutouch penmount synaptics tslib virtualbox vmmouse void " KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it en no nb" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2010-11-16 00:27:25 UTC
I'm reassigning this bug to the vmware team, but I'm not sure there's much they can do about it.
Comment 2 Vadim Kuznetsov (RETIRED) gentoo-dev 2010-11-21 13:03:50 UTC
libpng-1.2.44 is stable.

equery m media-libs/libpng-1.2.44
 * media-libs/libpng [gentoo]
Herd:        base-system (base-system@gentoo.org)
Location:    /usr/portage/media-libs/libpng
Keywords:    1.2.44:1.2: amd64 hppa ppc ppc64 x86 ~alpha ~arm ~ia64 ~m68k ~mips ~s390 ~sh ~sparc ~sparc-fbsd ~x86-fbsd
Comment 3 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2010-11-21 13:22:17 UTC
Vadmin,

the argument was that libpng-1.2.44 has security issues, not that it isn't stable.

Renato,

I didn't pay enough attention when I first wrangled this bug. If you read the summary of the linked bug correctly, that Privilege Escalation bug only affects <media-libs/libpng-1.2.44, so 1.2.44 is safe - at least from that security bug.
Comment 4 Vadim Kuznetsov (RETIRED) gentoo-dev 2010-11-21 14:00:49 UTC
(In reply to comment #3)
> Vadmin,
> 
> the argument was that libpng-1.2.44 has security issues, not that it isn't
> stable.

Argument was 324153, and libpng-1.2.44 is masked.
324153 is <media-libs/libpng-{1.2.44,1.4.3}: Privilege escalation (CVE-2010-1205)

So I noticed "<" sign and that 1.2.44 is stable.

Thanks.