A vulnerability has been reported in Gnumeric, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to integer overflows and signedness errors when processing XLS HLINK opcodes within the "excel_read_HLINK()" function in plugins/excel/ms-excel-read.c. This can be exploited to corrupt the stack via a specially crafted XLS file. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 1.6.3. Versions prior to 1.8.1 may also be affected. Solution: Update to version 1.8.1. http://ftp.gnome.org/pub/GNOME/sources/gnumeric/1.8/
Gnome-office, is 1.8.1 ready for going stable? please advise.
it's a bugfix only release following 1.8.0 so I'd say yes. Plus it has no currently opened bug against it in gentoo.
Arches, please test and mark stable: =app-office/gnumeric-1.8.1 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 release sparc x86"
x86 stable. Please note: dodoc: TODO does not exist
Tested app-office/gnumeric-1.8.1 USE="gnome -debug -perl -python" on sparc. - compiles - no test phase(restricted) - no collisions - works # emerge --info Portage 2.1.3.19 (default-linux/sparc/sparc64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r6 sparc64) ================================================================= System uname: 2.6.23-gentoo-r6 sparc64 sun4u Timestamp of tree: Sat, 02 Feb 2008 10:00:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 3.2_p17-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.10-r5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="sparc" CBUILD="sparc-unknown-linux-gnu" CFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers -ggdb" CHOST="sparc-unknown-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CPPFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers -ggdb" CXXFLAGS="-mcpu=ultrasparc3 -mtune=ultrasparc3 -mvis -Wa,-Av8plusa -O2 -pipe -frename-registers -ggdb" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distlocks installsources metadata-transfer parallel-fetch sanxbox splitdebug strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="de_DE.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en de" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="64bit 7zip X a52 aac aalib alsa artworkextra audacious avahi blender-game bluetooth bzip2 caps ccache cups curl custom-cflags cvs dbus dga disk-partition divx dts dv dvd dvdread encode fastcgi fat ffmpeg flac ftp fuse gd gif gimp gimpprint gmedia gnome gnome-print gnomecanvas gpm grammar gtk hal hpn ieee1394 ithreads javascript jpeg jpeg2k lzo mad memcache midi mikmod mjpeg mp2 mp3 mpeg mpeg2 mplayer musepack nautilus ncurses network networking nls nptl nptlonly nsplugin offensive ogg openal opengl opera pam pcre png pnm ppds quicktime realmedia regex ruby samba sdl sdl-image slang smartcard smp sms sound soundex sparc speex spell sqlite3 ssl subversion svg symlink test theora threads tiff timidity truetype tta unicode usb userlocales utils vcd vidix vim vim-syntax vim-with-x vorbis wma wmf wmp x264 xanim xcb xfce xine xinerama xorg xulrunner xv xvid zlib" ALSA_PCM_PLUGINS="adpcm alaw copy dshare dsnoop extplug file hooks ladspa lfloat linear meter mulaw multi null rate route share shm" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en de" USERLAND="GNU" VIDEO_CARDS="mach64" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
ppc64 done
ppc done too
Stable for HPPA.
alpha/ia64/sparc stable
amd64 done, I guess this is done
(In reply to comment #10) > amd64 done, I guess this is done > nope, we still need a glsa, so please don't close security bugs ;)
oops
GLSA 200802-05, kthxbye.
Fixed in release snapshot.