Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 68616 - dev-perl/Archive-Zip: zip security vulnerability
Summary: dev-perl/Archive-Zip: zip security vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa]
Depends on:
Reported: 2004-10-23 00:29 UTC by Steph L
Modified: 2004-10-29 06:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Steph L 2004-10-23 00:29:50 UTC
Versions before 1.14 are vulnerable to the following problem :

See perl bugs :

People using Archive-zip in amavisd-new, and some other 
email filtering applications really need this update

Reproducible: Always
Steps to Reproduce:

Solution : 
 cp Archive-Zip-1.12.ebuild  Archive-Zip-1.14.ebuild 
 ebuild Archive-Zip-1.14.ebuild digest
Comment 1 Chris White (RETIRED) gentoo-dev 2004-10-23 07:11:21 UTC
This looks to be a security bug.  I'm re-assigning it to the security team for
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-23 07:52:26 UTC
perl team, pls bump the ebuild
Comment 3 Michael Cummings (RETIRED) gentoo-dev 2004-10-23 18:06:15 UTC
Bumped, tested, marked for sparc and x86. PPC, can you check it, confirm it, and mark it?
Comment 4 Michael Cummings (RETIRED) gentoo-dev 2004-10-23 18:45:36 UTC
darkspectre worked with me in irc and confirmed this for ppc. marking stable now - security folks, its all up to you for a glsa if you want it.
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-24 03:03:30 UTC
adjusting Severity, removing ppc since it's already stable on ppc


alpha and amd64, please test Archive-Zip-1.14 and mark it stable if possible

current KEYWORDS="x86 sparc ppc"
target KEYWORDS="x86 amd64 ppc sparc alpha"
Comment 6 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-24 06:32:54 UTC
Stable on alpha.
Comment 7 Matthias Geerdsen (RETIRED) gentoo-dev 2004-10-25 01:53:18 UTC
while we are waiting for the last arch to test/mark stable, pls vote on a GLSA
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-10-25 02:27:23 UTC
This allows to bypass antivirus security, so I would issue one (Low ?), yes.
Comment 9 Karol Wojtaszek (RETIRED) gentoo-dev 2004-10-25 15:22:54 UTC
Stable on amd64.
Comment 10 Steph L 2004-10-26 15:47:36 UTC
The FreeBSD folks have updated their port to 1.14
There is now an official Amavis Security Announcement :
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-10-27 05:10:17 UTC
We'll have a GLSA on that one.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-10-29 06:12:32 UTC
GLSA 200410-31