GLSA 201310-15 lists all versions of automake < 1.11.6 as vulnerable. The tree contains versions going all the way back to 1.4, unmasked. Either the GLSA is in error and should be limited to 1.11 slot, or there are a bunch of versions that should be masked. Reproducible: Always
(In reply to Richard Freeman from comment #0) > GLSA 201310-15 lists all versions of automake < 1.11.6 as vulnerable. > > The tree contains versions going all the way back to 1.4, unmasked. > > Either the GLSA is in error and should be limited to 1.11 slot, or there are > a bunch of versions that should be masked. @base-system, how should we proceed? I know, that there are some ebuilds in tree which requires older automake versions, so - blind masking is not an option. But ignoring this is also a bad thing. Suggestion(not ideal, though): drop all older versions to ~arch as all ebuilds, which depends on particular automake < 1.11
CVE-2012-3386 does affect all versions prior to 1.11.6. It affects all versions at least to 1.4a (maybe more). So its really every version older we have in the tree. The only real saving grace for Gentoo is that the issue is with make distcheck, and Portage does not call make distcheck ever (though technically that doesn't stop an ebuild developer from doing that). Not sure what the best option is.
if someone wants to do the work to backport the fix, then we could merge it. but i don't think we should mask them. i don't think ~arch makes sense. in order to run these tools, you'd have to manually opt into it (run `automake-1.4` or something). which means the person wants to use it which means ~arch wouldn't stop them which means, in practice, no one is going to actually be safer.
@base-system, can we mask <1.11.6-r2 so we can move on?
(In reply to Aaron Bauman from comment #4) > @base-system, can we mask <1.11.6-r2 so we can move on? <1.9 is now masked. For 1.9 and 1.0 we need to take care of the reverse deps first.
(In reply to Andreas K. Hüttel from comment #5) > (In reply to Aaron Bauman from comment #4) > > @base-system, can we mask <1.11.6-r2 so we can move on? > > <1.9 is now masked. > > For 1.9 and 1.0 we need to take care of the reverse deps first. Thanks! Progress has been made. Will continue to track.
All packages masked requiring :1.9 or :1.10 except for app-misc/lcdproc which is now blocking this bug.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85fb9e060cbba2053036988833c2affc9bb6d454 commit 85fb9e060cbba2053036988833c2affc9bb6d454 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-09-22 16:07:25 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-09-22 16:07:25 +0000 profiles/package.mask: extend automake mask to :1.9 Bug: https://bugs.gentoo.org/489450 Signed-off-by: Aaron Bauman <bman@gentoo.org> profiles/package.mask | 1 + 1 file changed, 1 insertion(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a58727b9a76a75299c88ce78a4ffa6a739d9a54 commit 8a58727b9a76a75299c88ce78a4ffa6a739d9a54 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-09-29 02:54:27 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-09-29 02:54:27 +0000 profiles/package.mask: extend automake mask to 1.10 * This masks vulnerable versions of automake Closes: https://bugs.gentoo.org/489450 Signed-off-by: Aaron Bauman <bman@gentoo.org> profiles/package.mask | 1 + 1 file changed, 1 insertion(+)