Comment 1 Tony Vroon (RETIRED) 2005-03-12 08:49:27 UTC

We do not have the mentioned vulnerable 3.1.2 version in our tree anymore.

Comment 2 Luke Macken (RETIRED) 2005-03-12 10:25:00 UTC

someone responded to the bug and confirmed this in 3.2.0 as well.

CC'ing sound since this is their baby.

Comment 3 Jan Brinkmann (RETIRED) 2005-03-12 17:05:42 UTC

a 3.3.0 ebuild and the patch from sourceforge are now in tree

Comment 4 Luke Macken (RETIRED) 2005-03-12 18:31:28 UTC

The added patch was not confirmed by upstream, and is not included in their latest release 3.3.0.  Although this vulnerability is highly unlikely to cause any trouble, the patch looks harmless to me, so I have no objection for keeping it in the tree. 

Security/Audit Team, opinions?

Comment 5 Thierry Carrez (RETIRED) 2005-03-14 01:35:32 UTC

Looks alright to me...
Arches, please test and mark grip-3.3.0 stable

Comment 6 Markus Rothe (RETIRED) 2005-03-14 08:40:37 UTC

stable on ppc64

Comment 7 Michael Hanselmann (hansmi) (RETIRED) 2005-03-14 10:13:19 UTC

Stable on ppc.

Comment 8 Gustavo Zacarias (RETIRED) 2005-03-14 11:38:03 UTC

sparc stable.

Comment 9 Jan Brinkmann (RETIRED) 2005-03-14 11:52:29 UTC

stable on amd64 and x86

Comment 10 Bryan Østergaard (RETIRED) 2005-03-17 00:16:45 UTC

Stable on alpha.

Comment 11 Luke Macken (RETIRED) 2005-03-17 09:47:05 UTC

GLSA 200503-21

Comment 12 Jan Brinkmann (RETIRED) 2005-03-17 11:04:53 UTC

what about the vulnerable versions in the tree, 3.2.0 and 3.2.0-r1 ? shouldn't somebody remove them?

Comment 13 Chris White (RETIRED) 2005-03-17 16:20:13 UTC

Vulnerable versions are removed.

Is it really appropriate to replace Grip 3.2.0 (the officially released version) with Grip 3.3.0 (an unstable development version?).  Shouldn't the proper route been to backport the patch to 3.2.0?

FYI, the patch (3.3.0-crashfix.patch) applies directly to 3.2.0 and solves the problem