CVE-2017-11590 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11590): There is a NULL pointer dereference in the caseless_hash function in gxps-archive.c in libgxps 0.2.5. A crafted input will lead to a remote denial of service attack. References: https://bugzilla.redhat.com/show_bug.cgi?id=1475734 https://bugzilla.gnome.org/show_bug.cgi?id=785479
Looks like the patch made it into the 0.3.0 release which I added to the tree two days ago.
(In reply to Gilles Dartiguelongue from comment #1) > Looks like the patch made it into the 0.3.0 release which I added to the > tree two days ago. Thank you, please call for stabilization when necessary or let us know. Gentoo Security Padawan ChrisADR
An automated check of this bug failed - repoman reported dependency errors (33 lines truncated): > dependency.bad app-text/libgxps/libgxps-0.3.0.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=dev-util/meson-0.40.0'] > dependency.bad app-text/libgxps/libgxps-0.3.0.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-util/meson-0.40.0'] > dependency.bad app-text/libgxps/libgxps-0.3.0.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-util/meson-0.40.0']
ia64 stable I've also stabled =dev-util/meson-0.41.2 Please consider to add it to package likst.
An automated check of this bug failed - repoman reported dependency errors (28 lines truncated): > dependency.bad app-text/libgxps/libgxps-0.3.0.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['>=dev-util/meson-0.40.0'] > dependency.bad app-text/libgxps/libgxps-0.3.0.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['>=dev-util/meson-0.40.0'] > dependency.bad app-text/libgxps/libgxps-0.3.0.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop/gnome) ['>=dev-util/meson-0.40.0']
An automated check of this bug succeeded - the previous repoman errors are now resolved.
Stable on alpha.
amd64/x86 stable
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
ppc64 stable
ppc stable
sparc stable (thanks to Rolf Eike Beer) (also marked newer meson for ~sparc)
@arm, ping.
An automated check of this bug failed - the following atom is unknown: dev-util/meson-0.41.2 Please verify the atom list.
Now done for arm and cleanup bits as part of bug 631656 (much newer meson stable since long ago too) commit 19c768cca32e1105a0f2e2a07ae771ee8d300841 Author: Markus Meier <maekke@gentoo.org> Date: Wed Mar 14 21:19:28 2018 +0100 app-text/libgxps: arm stable, bug #631656 Package-Manager: Portage-2.3.24, Repoman-2.3.6 RepoMan-Options: --include-arches="arm" app-text/libgxps/libgxps-0.3.0.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit a4ae156e48a9157825e11d5d43e2c27ffe9ac9cf Author: Mart Raudsepp <leio@gentoo.org> Date: Thu Mar 15 03:25:32 2018 +0200 app-text/libgxps: remove old Package-Manager: Portage-2.3.19, Repoman-2.3.6 app-text/libgxps/Manifest | 1 - app-text/libgxps/libgxps-0.2.5.ebuild | 48 ------------------------------------------------ 2 files changed, 49 deletions(-) I don't know why there is no glsa jugding during all this time, so putting glsa? in whiteboard for you.
(In reply to Mart Raudsepp from comment #15) > > I don't know why there is no glsa jugding during all this time, so putting > glsa? in whiteboard for you. Thanks leio, GLSA Vote: No. Closing as RESOLVED, nothing else to do.