701350 – <net-mail/notmuch-0.29.3: multiple vulnerabilities

Bug 701350 - <net-mail/notmuch-0.29.3: multiple vulnerabilities

Summary: <net-mail/notmuch-0.29.3: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://notmuchmail.org/news/release-...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2019-11-27 19:08 UTC by Ralph Seichter
Modified:	2020-03-17 14:29 UTC (History)
CC List:	2 users (show)

See Also:
Package list:	=net-mail/notmuch-0.29.3
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ralph Seichter 2019-11-27 19:08:52 UTC

https://notmuchmail.org/releases/notmuch-0.29.3.tar.xz

* Fix for use-after-free in notmuch_config_list_{key,val}.

* Fix for double close of file in notmuch-dump.

Reproducible: Always

Comment 1 Larry the Git Cow gentoo-dev

2019-11-27 23:12:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7b44fa58efd3f42ff1186459a63c8c27e64e419

commit c7b44fa58efd3f42ff1186459a63c8c27e64e419
Author:     Amadeusz Piotr Żołnowski <aidecoe@gentoo.org>
AuthorDate: 2019-11-27 23:10:29 +0000
Commit:     Amadeusz Piotr Żołnowski <aidecoe@gentoo.org>
CommitDate: 2019-11-27 23:11:53 +0000

    net-mail/notmuch: Bump to 0.29.3
    
    Remove 0.29.2-r1 as 0.29.3 has the backported patch and one more
    additional fix.
    
    Bug: https://bugs.gentoo.org/701350
    Package-Manager: Portage-2.3.76, Repoman-2.3.16
    Signed-off-by: Amadeusz Piotr Żołnowski <aidecoe@gentoo.org>

 net-mail/notmuch/Manifest                          |  1 +
 ...dump.c-Fix-output-file-being-closed-twice.patch | 20 -------
 ...-Use-loopback-IP-address-rather-than-name.patch | 61 ++++++++++++++++++++++
 ...much-0.29.2-r1.ebuild => notmuch-0.29.3.ebuild} |  1 -
 4 files changed, 62 insertions(+), 21 deletions(-)

Comment 2 Amadeusz Żołnowski (RETIRED) gentoo-dev

2019-11-27 23:16:00 UTC

Gentoo Security Team, shall we stabilise now?

Comment 3 Amadeusz Żołnowski (RETIRED) gentoo-dev

2019-11-28 23:48:17 UTC

please stabilise =net-mail/notmuch-0.29.3

Comment 4 Agostino Sarubbo gentoo-dev

2020-01-30 10:10:19 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-01-30 12:14:55 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 6 Larry the Git Cow gentoo-dev

2020-02-01 23:37:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e705c4ca0409cb296a8e79c5adccc633456d0406

commit e705c4ca0409cb296a8e79c5adccc633456d0406
Author:     Amadeusz Piotr Żołnowski <aidecoe@gentoo.org>
AuthorDate: 2020-02-01 23:32:54 +0000
Commit:     Amadeusz Piotr Żołnowski <aidecoe@gentoo.org>
CommitDate: 2020-02-01 23:37:04 +0000

    net-mail/notmuch: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/701350
    Package-Manager: Portage-2.3.76, Repoman-2.3.16
    Signed-off-by: Amadeusz Piotr Żołnowski <aidecoe@gentoo.org>

 net-mail/notmuch/Manifest                          |   2 -
 ...-Use-loopback-IP-address-rather-than-name.patch |  61 ------
 ...-Use-loopback-IP-address-rather-than-name.patch |  62 ------
 .../0002-Fix-jobserver-unavailable-warning.patch   |  26 ---
 net-mail/notmuch/notmuch-0.28.4.ebuild             | 232 --------------------
 net-mail/notmuch/notmuch-0.29.2.ebuild             | 233 ---------------------
 6 files changed, 616 deletions(-)

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-17 14:29:41 UTC

GLSA Vote: No!

Repository is clean, all done.