From ${URL} : Buffer overflow was found and fixed in xdelta3 binary diff tool that allows arbitrary code execution from input files at least on some systems. This appears to be fixed in xdelta3 3.0.9 and later via https://github.com/jmacd/xdelta-devel/commit/ef93ff74203e030073b898c05e8b4860b5d09ef2 @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Please stabilize it.
First version containing the fix which hit the repository was =dev-util/xdelta-3.0.10. Slot 3 current stable version is =dev-util/xdelta-3.1.0. New GLSA created. @ Maintainer(s): Please cleanup <dev-util/xdelta-3.0.10.
Wait, I missed that mgorny committed directly into stable with a mask. So following maintainer comment #1 and calling for stable: @ Arches, please test and mark stable: =dev-util/xdelta-3.0.11
(In reply to Thomas Deutschmann from comment #3) > Wait, I missed that mgorny committed directly into stable with a mask. Yeah, sorry about that, repoman didn't catch it. Fixed now.
Stable on alpha.
amd64 stable
x86 stable
readded alpha as the arch was not marked stable.
ppc64 stable
sparc stable
Stable for HPPA.
ppc stable
This issue was resolved and addressed in GLSA 201701-40 at https://security.gentoo.org/glsa/201701-40 by GLSA coordinator Aaron Bauman (b-man).
Pending stable on ia64 (not security supported) and then we can cleanup the vulnerable ebuilds.
ia64 stable. Maintainer(s), please cleanup.
Tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ed52b0b08ffe472c6007c230f2e72666cf414c8