It is suspected that this package is vulnerable to a security vulnerability in LZO. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. Please see the information contained in the tracker bug 515246. "An integer overflow may occur when processing any variant of a "literal run" in the lzo1x_decompress_safe function. Each of these three locations is subject to an integer overflow when processing zero bytes.", additional information about the upstream vulnerability is available at http://seclists.org/oss-sec/2014/q2/665 Reproducible: Didn't try
fixed upstream here: https://sourceforge.net/p/dump/code/ci/b498b6fbf486e2fc0753f605723fc798a5241e78/ need to make a release though
it's in the tree now, but will need time to bake as there hasn't been a new release in a while now
(In reply to SpanKY from comment #2) > it's in the tree now, but will need time to bake as there hasn't been a new > release in a while now 0.4.45 doesn't like linking against unstable openssl, it seems. Hardened toolchain setup, removing LTO or Graphite doesn't matter: libtool: link: x86_64-pc-linux-gnu-gcc -O2 -march=corei7 -mtune=corei7 -mfpmath=sse -msse -msse2 -mssse3 -msse4.1 -msse4.2 -mcx16 -msahf -mcrc32 -maccumulate-outgoing-args -fforce-addr -fmodulo-sched -fivopts -ftree-loop-im -ftree-loop-linear -ftree-loop-ivcanon -fgcse-after-reload -fgcse-lm -fgcse-sm -fgcse-las -floop-interchange -ftree-loop-distribution -floop-strip-mine -floop-block -ftree-vectorize -flto=8 -fuse-linker-plugin -fno-lto -fno-use-linker-plugin -fno-lto -fno-use-linker-plugin -fno-loop-interchange -fno-tree-loop-distribution -fno-loop-strip-mine -fno-loop-block -O2 -march=corei7 -mtune=corei7 -mfpmath=sse -msse -msse2 -mssse3 -msse4.1 -msse4.2 -mcx16 -msahf -mcrc32 -maccumulate-outgoing-args -fforce-addr -fmodulo-sched -fivopts -ftree-loop-im -ftree-loop-linear -ftree-loop-ivcanon -fgcse-after-reload -fgcse-lm -fgcse-sm -fgcse-las -floop-interchange -ftree-loop-distribution -floop-strip-mine -floop-block -ftree-vectorize -flto=8 -fuse-linker-plugin -Wl,-z -Wl,now -Wl,-z -Wl,relro -fno-lto -fno-use-linker-plugin -fno-lto -fno-use-linker-plugin -fno-loop-interchange -fno-tree-loop-distribution -fno-loop-strip-mine -fno-loop-block -o ermt ermt.o cipher.o ../compat/lib/.libs/libcompat.a -lblkid -lext2fs cipher.o: In function `cipher': cipher.c:(.text+0x95): undefined reference to `EVP_CipherUpdate' cipher.c:(.text+0xf7): undefined reference to `EVP_bf_cbc' cipher.c:(.text+0x1c3): undefined reference to `EVP_md5' cipher.c:(.text+0x1f0): undefined reference to `EVP_BytesToKey' cipher.c:(.text+0x1fc): undefined reference to `EVP_CIPHER_CTX_init' cipher.c:(.text+0x21a): undefined reference to `EVP_CipherInit_ex' cipher.c:(.text+0x228): undefined reference to `EVP_CIPHER_CTX_set_padding' cipher.c:(.text+0x235): undefined reference to `OPENSSL_cleanse' cipher.c:(.text+0x242): undefined reference to `OPENSSL_cleanse' cipher.c:(.text+0x24f): undefined reference to `OPENSSL_cleanse' cipher.c:(.text+0x25b): undefined reference to `EVP_CIPHER_CTX_block_size' collect2: error: ld returned 1 exit status make[2]: *** [Makefile:433: ermt] Error 1 make[2]: Leaving directory '/ramfs/portage/app-arch/dump-0.4.45/work/dump-0.4b45/rmt' make[1]: *** [Makefile:437: all-recursive] Error 1 make[1]: Leaving directory '/ramfs/portage/app-arch/dump-0.4.45/work/dump-0.4b45' make: *** [Makefile:368: all] Error 2 * ERROR: app-arch/dump-0.4.45::gentoo failed (compile phase): * emake failed
(In reply to Joshua Kinard from comment #3) please don't report bugs here. file new ones.
Any changes here?
(In reply to SpanKY from comment #2) > it's in the tree now, but will need time to bake as there hasn't been a new > release in a while now Can we stabilize this yet?
@ Arches, please test and mark stable: =app-arch/dump-0.4.46
amd64 stable
x86 stable
Stable on alpha.
sparc stable
ppc stable
ia64 stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
https://github.com/gentoo/gentoo/pull/3613
Thank you all for your work. GLSA Vote = No Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), please drop the vulnerable version(s).
Tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=769dc13e9c6032697ffb26fc90be36e79b9b90f4