724494 – <dev-perl/Convert-UUlib-1.710.0: Multiple vulnerabilities

Bug 724494 - <dev-perl/Convert-UUlib-1.710.0: Multiple vulnerabilities

Summary: <dev-perl/Convert-UUlib-1.710.0: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://metacpan.org/source/MLEHMANN/...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2020-05-21 19:32 UTC by Sam James
Modified:	2020-07-26 05:15 UTC (History)
CC List:	2 users (show)

See Also:	724504 724618
Package list:	dev-perl/Convert-UUlib-1.710.0
Runtime testing required:	No

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-05-21 19:32:54 UTC

1.6  Thu Oct 24 17:11:54 CEST 2019
        - fix heap overflow (testcase by Noel Duffy, reported
          by Robert Scheck). The defense-in-depth mechanism based
          on mmap should make this unexploitable for other than denial
          of service, on systems supporting mmap/mprotect.
 
1.5  Sat Jul 11 03:56:06 CEST 2015
        - fix a heap overflow (testcase by Krzysztof Wojtaś).
        - on systems that support it (posix + mmap + map_anonymous),
          allocate all dynamic areas via mmap and put four guard
          pages around them, to catch similar heap overflows
          safely in the future.
        - find a safer way to pass in CC/CFLAGS to uulib.
        - added stability canary support.

Comment 1 Sam James archtester

2020-05-21 19:33:26 UTC

@maintianer(s), let us know when ready for stabilisation.

Comment 2 Sam James archtester

2020-06-04 16:57:38 UTC

How're we looking? :)

Comment 3 Agostino Sarubbo gentoo-dev

2020-06-06 17:31:00 UTC

arm stable

Comment 4 Agostino Sarubbo gentoo-dev

2020-06-06 17:33:42 UTC

ppc stable

Comment 5 Agostino Sarubbo gentoo-dev

2020-06-06 17:35:32 UTC

ppc64 stable

Comment 6 Agostino Sarubbo gentoo-dev

2020-06-06 17:37:53 UTC

sparc stable

Comment 7 Agostino Sarubbo gentoo-dev

2020-06-06 18:10:52 UTC

x86 stable

Comment 8 Agostino Sarubbo gentoo-dev

2020-06-07 08:45:16 UTC

amd64 stable

Comment 9 Rolf Eike Beer archtester

2020-06-08 16:09:09 UTC

hppa stable

Comment 10 Sam James archtester

2020-06-09 02:23:07 UTC

@maintainer(s), please cleanup

Comment 11 Sam James archtester

2020-06-20 02:08:46 UTC

ping

Comment 12 Larry the Git Cow gentoo-dev

2020-06-20 03:10:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f86bf1c11c58fa8e4f08f59512960dcaafe626a5

commit f86bf1c11c58fa8e4f08f59512960dcaafe626a5
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2020-06-20 03:09:36 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2020-06-20 03:09:58 +0000

    dev-perl/Convert-UUlib: Cleanup old 1.{4,5}00.0-r1 re bug #724494
    
    Removing versions affected by heap overflow issues
    
    Bug: https://bugs.gentoo.org/724494
    Closes: https://bugs.gentoo.org/723216
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Kent Fredric <kentnl@gentoo.org>

 .../Convert-UUlib/Convert-UUlib-1.400.0-r1.ebuild  | 17 ----------
 .../Convert-UUlib/Convert-UUlib-1.500.0-r1.ebuild  | 35 --------------------
 dev-perl/Convert-UUlib/Manifest                    |  2 --
 .../files/Convert-UUlib-1.500.0-unbundle.patch     | 37 ----------------------
 dev-perl/Convert-UUlib/metadata.xml                |  3 --
 5 files changed, 94 deletions(-)

Comment 13 Sam James archtester

2020-06-20 03:31:00 UTC

Thanks!

Comment 14 Sam James archtester

2020-07-26 05:15:51 UTC

GLSA vote: no. Thanks, closing!