600526 – <dev-libs/gnulib-2016.12.21.08.39.01: memory corruption flaw in parse_datetime() (CVE-2014-9471)

Bug 600526 - <dev-libs/gnulib-2016.12.21.08.39.01: memory corruption flaw in parse_datetime() (CVE-2014-9471)

Summary: <dev-libs/gnulib-2016.12.21.08.39.01: memory corruption flaw in parse_datetim...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~2 [noglsa]
Keywords:

Depends on:
Blocks:	CVE-2014-9471
	Show dependency tree

Reported:	2016-11-22 22:12 UTC by Thomas Deutschmann (RETIRED)
Modified:	2017-01-02 08:35 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-22 22:12:04 UTC

@ Maintainer(s): Please do another snapshot release. The vulnerability was fixed in http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=a10acfb1d2118f9a180181d3fed5399dbbe1df3c so you should be safe when you bump at least to >=dev-libs/gnulib-20140226 ...

Comment 1 Fabian Groffen gentoo-dev

2016-12-21 07:45:57 UTC

I just pushed out 2016.12.21.08.39.01.

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-23 01:18:47 UTC

@ Maintainer(s): Thanks for the bump. Please also remove the vulnerable versions, i.e. drop

=dev-libs/gnulib-2013.10.28.22.33.52
=dev-libs/gnulib-2009.03.03.14.07.45-r1

(or apply a mask indicating a security problem).

Comment 3 Fabian Groffen gentoo-dev

2016-12-23 07:22:34 UTC

My bad, should've removed the old versions immediately.  Done now.