CVE-2016-1244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1244): The extractTree function in unADF allows remote attackers to execute arbitrary code via shell metacharacters in a directory name in an adf file. CVE-2016-1243 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1243): Stack-based buffer overflow in the extractTree function in unADF allows remote attackers to execute arbitrary code via a long pathname.
@Maintainers please call for stabilization when ready. Thank you
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=634759896cca38f227b01c715f190ee3dc6741ca commit 634759896cca38f227b01c715f190ee3dc6741ca Author: David Seifert <soap@gentoo.org> AuthorDate: 2017-12-29 12:54:56 +0000 Commit: David Seifert <soap@gentoo.org> CommitDate: 2017-12-29 13:16:45 +0000 app-arch/unadf: Add patches for CVE-2016-1243 and CVE-2016-1244 Bug: https://bugs.gentoo.org/636388 Package-Manager: Portage-2.3.19, Repoman-2.3.6 .../unadf-0.7.12-CVE-2016-1243_CVE-2016-1244.patch | 146 +++++++++++++++++++++ ...{unadf-0.7.12.ebuild => unadf-0.7.12-r1.ebuild} | 1 + 2 files changed, 147 insertions(+)}
amd64 stable
x86 stable
@hppa, ping.
ppc stable
hppa stable
GLSA request filed. @maintainer, please clean the vulnerable versions.
This issue was resolved and addressed in GLSA 201804-20 at https://security.gentoo.org/glsa/201804-20 by GLSA coordinator Aaron Bauman (b-man).
re-opened for cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a8db2993955f4d89490f42094566cd0847151f4 commit 3a8db2993955f4d89490f42094566cd0847151f4 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-05-14 22:35:14 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-05-15 14:24:16 +0000 app-arch/unadf: drop vulnerable Bug: https://bugs.gentoo.org/636388 Package-Manager: Portage-2.3.36, Repoman-2.3.9 Closes: https://github.com/gentoo/gentoo/pull/8406 app-arch/unadf/Manifest | 1 - app-arch/unadf/unadf-0.7.9b.ebuild | 41 -------------------------------------- 2 files changed, 42 deletions(-)