Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 51586 - dev-util/tla-1.2-r1 using vulnerable libneon
Summary: dev-util/tla-1.2-r1 using vulnerable libneon
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://www.openpkg.org/security/OpenP...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-05-20 12:23 UTC by Sune Kloppenborg Jeppesen
Modified: 2004-06-02 11:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2004-05-20 12:23:24 UTC
Original libneon bug #51490

As of May 5th website at http://arch.quackerhead.com/~lord/ promises a security update for the previous libneon vulnerability.
Comment 1 Anders Rune Jensen (RETIRED) gentoo-dev 2004-05-20 16:39:11 UTC
Tla 1.2.1pre1 was released by James Blackwell because Tom was offline because he was moving. It fixes this security hole. For more information see this:

http://mail.gnu.org/archive/html/gnu-arch-users/2004-04/msg00715.html

Tom as later acked this version:
http://mail.gnu.org/archive/html/gnu-arch-users/2004-04/msg00716.html
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-05-21 00:41:12 UTC
Confirmed
Fix version is 1.2.1pre1.
Ryan : please bump to this version.
Comment 3 Ryan Phillips (RETIRED) gentoo-dev 2004-05-28 10:50:08 UTC
1.2.1_pre1 committed.  Awaiting GLSA announcement for bug closure.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-05-28 11:44:20 UTC
Ready for a GLSA
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-05-30 14:10:03 UTC
GLSA 200405-25
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-06-01 01:35:21 UTC
Carsten Eiram from Secunia brought to our attention that 1.2.1_pre1 includes neon-0.24.5, so it does only solve the string format vuln (CAN-2004-0179) and not
the heap overflow (CAN-2004-0398), which needs neon-0.24.6.

The OpenPKG advisory uses a "tla-1.2-20040519" as the fix.

rphillips : could you clear that up and, if needed, produce a new fix ebuild ?
We'll probably have to issue an errata advisory.
Comment 7 Ryan Phillips (RETIRED) gentoo-dev 2004-06-01 22:33:18 UTC
I looked in http://dailyarch.gnuarch.org/ for the tla snapshot for 20040519.  
in src/tla/libneon/aclocal.m4 it says that libneon is 0.24.0 still... Also, in the latest snapshot: 20040602.  Am I just seeing things?
Comment 8 Ryan Phillips (RETIRED) gentoo-dev 2004-06-01 22:46:10 UTC
jivera in #arch said that the included neon isn't up to date yet.  I think the openpackage advisory might not have gotten the right fix (if there is one).
Comment 9 Ryan Phillips (RETIRED) gentoo-dev 2004-06-01 23:23:34 UTC
tla-1.2-r2.ebuild has been committed to portage.  tla will use the installed neon shared library via the patch included (files/tla-1.2-4.diff.gz)

Awaiting GLSA
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-06-02 01:52:24 UTC
Errata drafted, security, please review.

We should remove/mask 1.2.1_pre1 before GLSA release so that this vulnerable version does not get picked up by the emerge ">=dev-util/tla-1.2-r2".
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-06-02 11:05:59 UTC
Errata GLSA 200405-25:02
Ryan: thank you very much for this quick and efficient fix !