cabextract 1.5 fixes multiple security vulnerabilities, one of them got CVE-2014-9556. The release notes seem to be not available at a public place (just got them privately via email from the dev), I asked the upstream dev to make them publicly available. Most of the issues are fuzzing-related stuff found with afl. Please bump to 1.5.
+ 29 Mar 2015; Ben de Groot <yngwin@gentoo.org> +cabextract-1.6.ebuild, + -cabextract-1.3.ebuild, cabextract-1.4.ebuild, metadata.xml: + Version bump, which fixes security bugs #538152 and #540626. Bump EAPI. Rename + extra-tools useflag to extras (bug #411643). Remove old. Not sure if this and bug #540626 can be considered a duplicates? One GLSA should probably be enough to cover this.
Arches, please mark app-arch/cabextract-1.6 as stable.
(In reply to Hanno Boeck from comment #0) > cabextract 1.5 fixes multiple security vulnerabilities, one of them got > CVE-2014-9556. > > The release notes seem to be not available at a public place (just got them > privately via email from the dev), I asked the upstream dev to make them > publicly available. Most of the issues are fuzzing-related stuff found with > afl. Can you please forward the notes to security@ if you do not feel comfortable in making them public so we can handle the GLSA accordingly. Currently assigning B4 Whiteboard (same as Bug # 540626) until further information on vulnerabilities are available.
CVE-2014-9556 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9556): Integer overflow in the qtmd_decompress function in libmspack 0.4 allows remote attackers to cause a denial of service (hang) via a crafted CAB file, which triggers an infinite loop.
Arches, please test and mark stable: =app-arch/cabextract-1.6 Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 spark x86"
Just googled for them, seems they have been posted to some netbsd mailing list, so they're public there and can be referenced: https://mail-index.netbsd.org/pkgsrc-users/2015/01/30/msg020987.html Please note: 1.6 also fixes a security issue (directory traversal, CVE-2015-2060), release notes here: http://comments.gmane.org/gmane.os.netbsd.devel.pkgsrc.user/21307
(In reply to Hanno Boeck from comment #6) > Just googled for them, seems they have been posted to some netbsd mailing > list, so they're public there and can be referenced: > https://mail-index.netbsd.org/pkgsrc-users/2015/01/30/msg020987.html Thank you > Please note: 1.6 also fixes a security issue (directory traversal, > CVE-2015-2060), This is handled by Bug # 540626
Stable for HPPA.
amd64 stable
x86 stable
arm stable
alpha stable
ia64 stable
ppc64 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
NO too, closing.