From v0.31.1 changelog: 2017-01-08: icoutils 0.31.1 released. Security fixes: Colin Watson, Debian bug https://bugs.debian.org/850017 Martin Gieseking, Fedora https://bugzilla.redhat.com/show_bug.cgi?id=1249276 @ Maintainer(s): Please bump to >=media-gfx/icoutils-0.31.1 and let us know when you are ready to stabilize.
from ${URL}: > It turns out that this is not enough, so upstream has issued > > http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=4fbe9222fd79ee31b7ec031b0be070a9a400d1d3 > > Could you please assign a further CVE for this follow up fix? Use CVE-2017-5331. > Furthermore I would like to ask if the following two commits from upstream, > can have as well an identifier assigned: > > http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a > http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a Yes, but because these are immediately consecutive commits, the CVE mapping may seem unusual. Use CVE-2017-5332 for all of 1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a and also the index correction in 1a108713ac26215c7568353f6e02e727e6d4b24a. In other words, the change from "entries[c]" to "entries[c-skipped]" in 1a108713ac26215c7568353f6e02e727e6d4b24a cannot have a new CVE ID because the code was never "shipped" with "entries[c]" in use. There aren't two independent problems related to establishing a maximum allowable value of the size variable. Use CVE-2017-5333 for the separate vulnerability fixed by the introduction of the "size >= sizeof(uint16_t)*2" test in 1a108713ac26215c7568353f6e02e727e6d4b24a.
Further issues found in 0.31.1 incoming
*** Bug 610714 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11af7de2cc8e6ff58ed74e58709a91a630bb4dc1 commit 11af7de2cc8e6ff58ed74e58709a91a630bb4dc1 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2017-10-29 17:39:39 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2017-10-29 17:42:14 +0000 media-gfx/icoutils: Bump to v0.32.0 Thanks to Marty Plummer for the musl build fix (bug #631360). Closes: https://github.com/gentoo/gentoo/pull/5393 Fixes: https://bugs.gentoo.org/631360 Bug: https://bugs.gentoo.org/605138 Closes: https://bugs.gentoo.org/635814 Package-Manager: Portage-2.3.13, Repoman-2.3.4 media-gfx/icoutils/Manifest | 1 + media-gfx/icoutils/icoutils-0.32.0.ebuild | 49 +++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+)}
@ Arches, please test and mark stable: =media-gfx/icoutils-0.32.0
x86 stable
Stable on amd64
ppc stable
All supported arches stabilized. @maintainer(s), proceed to cleanup, thank you. Gentoo Security Padawan (Jmbailey/mbailey_j)
This issue was resolved and addressed in GLSA 201801-12 at https://security.gentoo.org/glsa/201801-12 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup. @ Maintainer(s): Please cleanup and drop <media-gfx/icoutils-0.32.0!
tree is clean: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d49cff47ebb1ce75290b99982310e7e935b3831