Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 665520 - <media-libs/libde265-1.0.3: multiple vulnerabilities
Summary: <media-libs/libde265-1.0.3: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Deadline: 2018-09-13
Assignee: Gentoo Security
URL: https://github.com/strukturag/libde26...
Whiteboard: B2 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-09-08 22:14 UTC by Thomas Deutschmann
Modified: 2018-11-10 00:25 UTC (History)
2 users (show)

See Also:
Package list:
media-libs/libde265-1.0.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2018-09-08 22:14:36 UTC
From v1.0.3 release notes (see $URL):

- fixes for compiler build problems
- security fixes, mainly checking for corrupted input streams
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-09-08 22:16:33 UTC
I bumped the package via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed670c23c665f341bdd8bfd39f7c13a71ee59a81 but let's wait a few days due to EAPI=7 rewrite.
Comment 2 Andreas Sturmlechner gentoo-dev 2018-09-18 21:18:50 UTC
Adding arches. Besides the added security, this is considerably less broken than 1.0.2 ebuild.
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-09-19 17:36:24 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2018-09-21 07:42:27 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 5 Larry the Git Cow gentoo-dev 2018-09-21 08:50:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c54a3c5bd7945246640be1e6e34a2b72d857b097

commit c54a3c5bd7945246640be1e6e34a2b72d857b097
Author:     Mikle Kolyada <zlogene@gentoo.org>
AuthorDate: 2018-09-21 08:50:15 +0000
Commit:     Mikle Kolyada <zlogene@gentoo.org>
CommitDate: 2018-09-21 08:50:15 +0000

    media-libs/libde265: Security cleanup
    
    Bug: https://bugs.gentoo.org/665520
    Package-Manager: Portage-2.3.49, Repoman-2.3.10

 media-libs/libde265/Manifest                       |  1 -
 .../libde265/files/libde265-1.0.2-qtbindir.patch   | 47 --------------------
 media-libs/libde265/libde265-1.0.2.ebuild          | 50 ----------------------
 3 files changed, 98 deletions(-)
Comment 6 Manfred Knick 2018-09-21 12:35:10 UTC
(In reply to Agostino Sarubbo from comment #4)
> amd64 stable.
/var/tmp/portage/media-libs/libde265-1.0.3/temp/build.log :

 * Applying libde265-1.0.2-qtbindir.patch ...

/var/tmp/portage/media-libs/libde265-1.0.3/temp/environment:
line 653:
/var/tmp/portage/media-libs/libde265-1.0.3/files/libde265-1.0.2-qtbindir.patch:
No such file or directory

 [ !! ]
Comment 7 Thomas Deutschmann gentoo-dev Security 2018-09-21 12:39:11 UTC
Security cleanup removed that file. I'll revert, thanks.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2018-11-10 00:25:25 UTC
This issue was resolved and addressed in
 GLSA 201811-06 at https://security.gentoo.org/glsa/201811-06
by GLSA coordinator Thomas Deutschmann (whissi).