Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 724494 - <dev-perl/Convert-UUlib-1.710.0: Multiple vulnerabilities
Summary: <dev-perl/Convert-UUlib-1.710.0: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://metacpan.org/source/MLEHMANN/...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-21 19:32 UTC by Sam James
Modified: 2020-07-26 05:15 UTC (History)
2 users (show)

See Also:
Package list:
dev-perl/Convert-UUlib-1.710.0
Runtime testing required: No
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-05-21 19:32:54 UTC
1.6  Thu Oct 24 17:11:54 CEST 2019
        - fix heap overflow (testcase by Noel Duffy, reported
          by Robert Scheck). The defense-in-depth mechanism based
          on mmap should make this unexploitable for other than denial
          of service, on systems supporting mmap/mprotect.
 
1.5  Sat Jul 11 03:56:06 CEST 2015
        - fix a heap overflow (testcase by Krzysztof Wojtaś).
        - on systems that support it (posix + mmap + map_anonymous),
          allocate all dynamic areas via mmap and put four guard
          pages around them, to catch similar heap overflows
          safely in the future.
        - find a safer way to pass in CC/CFLAGS to uulib.
        - added stability canary support.
Comment 1 Sam James archtester gentoo-dev Security 2020-05-21 19:33:26 UTC
@maintianer(s), let us know when ready for stabilisation.
Comment 2 Sam James archtester gentoo-dev Security 2020-06-04 16:57:38 UTC
How're we looking? :)
Comment 3 Agostino Sarubbo gentoo-dev 2020-06-06 17:31:00 UTC
arm stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-06-06 17:33:42 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-06 17:35:32 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-06 17:37:53 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-06 18:10:52 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-06-07 08:45:16 UTC
amd64 stable
Comment 9 Rolf Eike Beer 2020-06-08 16:09:09 UTC
hppa stable
Comment 10 Sam James archtester gentoo-dev Security 2020-06-09 02:23:07 UTC
@maintainer(s), please cleanup
Comment 11 Sam James archtester gentoo-dev Security 2020-06-20 02:08:46 UTC
ping
Comment 12 Larry the Git Cow gentoo-dev 2020-06-20 03:10:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f86bf1c11c58fa8e4f08f59512960dcaafe626a5

commit f86bf1c11c58fa8e4f08f59512960dcaafe626a5
Author:     Kent Fredric <kentnl@gentoo.org>
AuthorDate: 2020-06-20 03:09:36 +0000
Commit:     Kent Fredric <kentnl@gentoo.org>
CommitDate: 2020-06-20 03:09:58 +0000

    dev-perl/Convert-UUlib: Cleanup old 1.{4,5}00.0-r1 re bug #724494
    
    Removing versions affected by heap overflow issues
    
    Bug: https://bugs.gentoo.org/724494
    Closes: https://bugs.gentoo.org/723216
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Kent Fredric <kentnl@gentoo.org>

 .../Convert-UUlib/Convert-UUlib-1.400.0-r1.ebuild  | 17 ----------
 .../Convert-UUlib/Convert-UUlib-1.500.0-r1.ebuild  | 35 --------------------
 dev-perl/Convert-UUlib/Manifest                    |  2 --
 .../files/Convert-UUlib-1.500.0-unbundle.patch     | 37 ----------------------
 dev-perl/Convert-UUlib/metadata.xml                |  3 --
 5 files changed, 94 deletions(-)
Comment 13 Sam James archtester gentoo-dev Security 2020-06-20 03:31:00 UTC
Thanks!
Comment 14 Sam James archtester gentoo-dev Security 2020-07-26 05:15:51 UTC
GLSA vote: no. Thanks, closing!