769998 – <sys-devel/gettext-0.21-r1: vulnerability in bundled libcroco (CVE-2020-12825)

Bug 769998 - <sys-devel/gettext-0.21-r1: vulnerability in bundled libcroco (CVE-2020-12825)

Summary: <sys-devel/gettext-0.21-r1: vulnerability in bundled libcroco (CVE-2020-12825)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+ cve]
Keywords:

Depends on:
Blocks:	CVE-2020-12825
	Show dependency tree

Reported:	2021-02-11 02:14 UTC by John Helmert III
Modified:	2022-08-21 02:15 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	sys-devel/gettext-0.21-r1
Runtime testing required:	---

Flags:	nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-02-11 02:14:52 UTC

libcroco bug: https://gitlab.gnome.org/GNOME/libcroco/-/issues/8

It might be suitable to apply the gnome-shell patch mentioned in our libcroco bug: https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1404/diffs?commit_id=44cbd1e718d6a08e59b9300280c340218a84e089

Comment 1 Larry the Git Cow gentoo-dev

2021-05-31 21:16:41 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2ee902bc3a015cc4515363c78f584391aa491884

commit 2ee902bc3a015cc4515363c78f584391aa491884
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2021-05-31 21:16:25 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2021-05-31 21:16:38 +0000

    sys-devel/gettext: fix CVE-2020-12825
    
    Bug: https://bugs.gentoo.org/769998
    Package-Manager: Portage-3.0.19, Repoman-3.0.3
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 .../files/gettext-0.21-CVE-2020-12825.patch        | 335 +++++++++++++++++++++
 sys-devel/gettext/gettext-0.21-r1.ebuild           | 157 ++++++++++
 2 files changed, 492 insertions(+)

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-31 21:17:47 UTC

Added to an existing GLSA request.

Comment 3 Agostino Sarubbo gentoo-dev

2021-06-01 06:57:19 UTC

sparc stable

Comment 4 Sam James archtester

2021-06-01 10:09:45 UTC

x86 done

Comment 5 Sam James archtester

2021-06-01 10:38:33 UTC

amd64 done

Comment 6 Sam James archtester

2021-06-01 15:28:54 UTC

arm done

Comment 7 Sam James archtester

2021-06-02 10:38:03 UTC

arm64 done

Comment 8 Sam James archtester

2021-06-02 10:38:17 UTC

ppc done

Comment 9 Sam James archtester

2021-06-02 10:38:30 UTC

ppc64 done

Comment 10 Rolf Eike Beer archtester

2021-06-02 14:39:48 UTC

hppa stable

Comment 11 John Helmert III archtester

2021-06-02 15:04:09 UTC

Please cleanup.

Comment 12 Larry the Git Cow gentoo-dev

2021-06-14 09:19:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a55c708f1468a81905c362a82b5f6c851bf01dce

commit a55c708f1468a81905c362a82b5f6c851bf01dce
Author:     David Seifert <soap@gentoo.org>
AuthorDate: 2021-06-14 09:19:24 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2021-06-14 09:19:24 +0000

    sys-devel/gettext: drop 0.21
    
    Bug: https://bugs.gentoo.org/769998
    Signed-off-by: David Seifert <soap@gentoo.org>

 sys-devel/gettext/gettext-0.21.ebuild | 156 ----------------------------------
 1 file changed, 156 deletions(-)

Comment 13 Larry the Git Cow gentoo-dev

2022-08-21 02:09:14 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2a92e2043bdf43ba9d8813b5b7aca6e24d69f047

commit 2a92e2043bdf43ba9d8813b5b7aca6e24d69f047
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-21 01:34:48 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-21 01:40:47 +0000

    [ GLSA 202208-33 ] Gnome Shell, gettext, libcroco: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/722752
    Bug: https://bugs.gentoo.org/755848
    Bug: https://bugs.gentoo.org/769998
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-33.xml | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

Comment 14 John Helmert III archtester

2022-08-21 02:15:13 UTC

GLSA released, all done!