Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 489450 - GLSA 201310-15 - tree still contains vulnerable versions of sys-devel/automake in stable
Summary: GLSA 201310-15 - tree still contains vulnerable versions of sys-devel/automak...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on: 692382
Blocks: 490192
  Show dependency tree
 
Reported: 2013-10-26 11:16 UTC by Richard Freeman
Modified: 2019-09-29 02:55 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Freeman gentoo-dev 2013-10-26 11:16:04 UTC
GLSA 201310-15 lists all versions of automake < 1.11.6 as vulnerable.

The tree contains versions going all the way back to 1.4, unmasked.

Either the GLSA is in error and should be limited to 1.11 slot, or there are a bunch of versions that should be masked.

Reproducible: Always
Comment 1 Sergey Popov gentoo-dev 2013-10-28 17:28:31 UTC
(In reply to Richard Freeman from comment #0)
> GLSA 201310-15 lists all versions of automake < 1.11.6 as vulnerable.
> 
> The tree contains versions going all the way back to 1.4, unmasked.
> 
> Either the GLSA is in error and should be limited to 1.11 slot, or there are
> a bunch of versions that should be masked.

@base-system, how should we proceed? I know, that there are some ebuilds in tree which requires older automake versions, so - blind masking is not an option. But ignoring this is also a bad thing.

Suggestion(not ideal, though): drop all older versions to ~arch as all ebuilds, which depends on particular automake < 1.11
Comment 2 Doug Goldstein gentoo-dev 2013-10-28 21:03:21 UTC
CVE-2012-3386 does affect all versions prior to 1.11.6. It affects all versions at least to 1.4a (maybe more). So its really every version older we have in the tree. The only real saving grace for Gentoo is that the issue is with make distcheck, and Portage does not call make distcheck ever (though technically that doesn't stop an ebuild developer from doing that).

Not sure what the best option is.
Comment 3 SpanKY gentoo-dev 2013-12-09 08:10:57 UTC
if someone wants to do the work to backport the fix, then we could merge it.  but i don't think we should mask them.

i don't think ~arch makes sense.  in order to run these tools, you'd have to manually opt into it (run `automake-1.4` or something).  which means the person wants to use it which means ~arch wouldn't stop them which means, in practice, no one is going to actually be safer.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-19 01:04:30 UTC
@base-system, can we mask <1.11.6-r2 so we can move on?
Comment 5 Andreas K. Hüttel gentoo-dev 2017-10-22 16:42:37 UTC
(In reply to Aaron Bauman from comment #4)
> @base-system, can we mask <1.11.6-r2 so we can move on?

<1.9 is now masked. 

For 1.9 and 1.0 we need to take care of the reverse deps first.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-23 00:48:48 UTC
(In reply to Andreas K. Hüttel from comment #5)
> (In reply to Aaron Bauman from comment #4)
> > @base-system, can we mask <1.11.6-r2 so we can move on?
> 
> <1.9 is now masked. 
> 
> For 1.9 and 1.0 we need to take care of the reverse deps first.

Thanks!  Progress has been made.  Will continue to track.
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-17 19:58:46 UTC
All packages masked requiring :1.9 or :1.10 except for app-misc/lcdproc which is now blocking this bug.
Comment 8 Larry the Git Cow gentoo-dev 2019-09-22 16:08:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85fb9e060cbba2053036988833c2affc9bb6d454

commit 85fb9e060cbba2053036988833c2affc9bb6d454
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-09-22 16:07:25 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-09-22 16:07:25 +0000

    profiles/package.mask: extend automake mask to :1.9
    
    Bug: https://bugs.gentoo.org/489450
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 profiles/package.mask | 1 +
 1 file changed, 1 insertion(+)
Comment 9 Larry the Git Cow gentoo-dev 2019-09-29 02:55:26 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8a58727b9a76a75299c88ce78a4ffa6a739d9a54

commit 8a58727b9a76a75299c88ce78a4ffa6a739d9a54
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-09-29 02:54:27 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-09-29 02:54:27 +0000

    profiles/package.mask: extend automake mask to 1.10
    
    * This masks vulnerable versions of automake
    
    Closes: https://bugs.gentoo.org/489450
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 profiles/package.mask | 1 +
 1 file changed, 1 insertion(+)