Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 701350 - <net-mail/notmuch-0.29.3: multiple vulnerabilities
Summary: <net-mail/notmuch-0.29.3: multiple vulnerabilities
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://notmuchmail.org/news/release-...
Whiteboard: B3 [glsa? cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-27 19:08 UTC by Ralph Seichter
Modified: 2020-02-01 23:37 UTC (History)
2 users (show)

See Also:
Package list:
=net-mail/notmuch-0.29.3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Seichter 2019-11-27 19:08:52 UTC
https://notmuchmail.org/releases/notmuch-0.29.3.tar.xz

* Fix for use-after-free in notmuch_config_list_{key,val}.

* Fix for double close of file in notmuch-dump.

Reproducible: Always
Comment 1 Larry the Git Cow gentoo-dev 2019-11-27 23:12:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7b44fa58efd3f42ff1186459a63c8c27e64e419

commit c7b44fa58efd3f42ff1186459a63c8c27e64e419
Author:     Amadeusz Piotr Żołnowski <aidecoe@gentoo.org>
AuthorDate: 2019-11-27 23:10:29 +0000
Commit:     Amadeusz Piotr Żołnowski <aidecoe@gentoo.org>
CommitDate: 2019-11-27 23:11:53 +0000

    net-mail/notmuch: Bump to 0.29.3
    
    Remove 0.29.2-r1 as 0.29.3 has the backported patch and one more
    additional fix.
    
    Bug: https://bugs.gentoo.org/701350
    Package-Manager: Portage-2.3.76, Repoman-2.3.16
    Signed-off-by: Amadeusz Piotr Żołnowski <aidecoe@gentoo.org>

 net-mail/notmuch/Manifest                          |  1 +
 ...dump.c-Fix-output-file-being-closed-twice.patch | 20 -------
 ...-Use-loopback-IP-address-rather-than-name.patch | 61 ++++++++++++++++++++++
 ...much-0.29.2-r1.ebuild => notmuch-0.29.3.ebuild} |  1 -
 4 files changed, 62 insertions(+), 21 deletions(-)
Comment 2 Amadeusz Żołnowski gentoo-dev 2019-11-27 23:16:00 UTC
Gentoo Security Team, shall we stabilise now?
Comment 3 Amadeusz Żołnowski gentoo-dev 2019-11-28 23:48:17 UTC
please stabilise =net-mail/notmuch-0.29.3
Comment 4 Agostino Sarubbo gentoo-dev 2020-01-30 10:10:19 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-01-30 12:14:55 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 6 Larry the Git Cow gentoo-dev 2020-02-01 23:37:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e705c4ca0409cb296a8e79c5adccc633456d0406

commit e705c4ca0409cb296a8e79c5adccc633456d0406
Author:     Amadeusz Piotr Żołnowski <aidecoe@gentoo.org>
AuthorDate: 2020-02-01 23:32:54 +0000
Commit:     Amadeusz Piotr Żołnowski <aidecoe@gentoo.org>
CommitDate: 2020-02-01 23:37:04 +0000

    net-mail/notmuch: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/701350
    Package-Manager: Portage-2.3.76, Repoman-2.3.16
    Signed-off-by: Amadeusz Piotr Żołnowski <aidecoe@gentoo.org>

 net-mail/notmuch/Manifest                          |   2 -
 ...-Use-loopback-IP-address-rather-than-name.patch |  61 ------
 ...-Use-loopback-IP-address-rather-than-name.patch |  62 ------
 .../0002-Fix-jobserver-unavailable-warning.patch   |  26 ---
 net-mail/notmuch/notmuch-0.28.4.ebuild             | 232 --------------------
 net-mail/notmuch/notmuch-0.29.2.ebuild             | 233 ---------------------
 6 files changed, 616 deletions(-)