Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 366697 (CVE-2011-0904) - <net-misc/vino-2.32.2: Denial of Service Vulnerabilities (CVE-2011-{0904,0905})
Summary: <net-misc/vino-2.32.2: Denial of Service Vulnerabilities (CVE-2011-{0904,0905})
Status: RESOLVED FIXED
Alias: CVE-2011-0904
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-10 04:49 UTC by Tim Sammut (RETIRED)
Modified: 2014-12-12 00:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-05-10 04:49:42 UTC
There are two DoS vulnerabilities in vino crashed by invalid framebuffer requests. The upstream bugs appear to be:

https://bugzilla.gnome.org/show_bug.cgi?id=641802 (CVE-2011-0904)
https://bugzilla.gnome.org/show_bug.cgi?id=641803 (CVE-2011-0905, private)
Comment 1 Gilles Dartiguelongue gentoo-dev 2011-05-10 06:49:53 UTC
IIRC that's what the 2.32.2 release was for and it already is in tree. Unless there's something more we are good to go.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-05-14 20:52:57 UTC
(In reply to comment #1)
> IIRC that's what the 2.32.2 release was for and it already is in tree. Unless
> there's something more we are good to go.

Ok, I am a little confused. https://bugzilla.gnome.org/show_bug.cgi?id=641802#c10 says this is fixed in a 2.32.3 version, but comparing the fix at http://bugzilla-attachments.gnome.org/attachment.cgi?id=186688 to the source from our 2.32.2 we look to include the fixed code.

Alright, can we stabilize =net-misc/vino-2.32.2?
Comment 3 Nirbheek Chauhan (RETIRED) gentoo-dev 2011-05-14 21:11:04 UTC
(In reply to comment #2)
> (In reply to comment #1)
> > IIRC that's what the 2.32.2 release was for and it already is in tree. Unless
> > there's something more we are good to go.
> 
> Ok, I am a little confused.
> https://bugzilla.gnome.org/show_bug.cgi?id=641802#c10 says this is fixed in a
> 2.32.3 version, but comparing the fix at
> http://bugzilla-attachments.gnome.org/attachment.cgi?id=186688 to the source
> from our 2.32.2 we look to include the fixed code.
> 
> Alright, can we stabilize =net-misc/vino-2.32.2?

Latest is 2.32.2[1]. That should be stabilized.


1. http://ftp.acc.umu.se/pub/GNOME/sources/vino/2.32/
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-05-14 21:14:03 UTC
(In reply to comment #3)
> 
> Latest is 2.32.2[1]. That should be stabilized.
> 

Cool, thanks.

Arches, please test and mark stable:
=net-misc/vino-2.32.2
Target keywords : "alpha amd64 arm ia64 ppc ppc64 sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2011-05-15 00:50:56 UTC
amd64 ok
Comment 6 Christoph Mende (RETIRED) gentoo-dev 2011-05-15 07:52:08 UTC
amd64 stable
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-15 14:17:41 UTC
ppc/ppc64 stable
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-15 16:20:29 UTC
x86 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-05-21 16:04:24 UTC
alpha/arm/ia64/sparc stable
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2011-05-23 02:36:17 UTC
Thanks, everyone. GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:37:49 UTC
This issue was resolved and addressed in
 GLSA 201412-09 at http://security.gentoo.org/glsa/glsa-201412-09.xml
by GLSA coordinator Sean Amoss (ackle).