CVE-2010-0280 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0280): Array index error in Jan Eric Kyprianidis lib3ds 1.x, as used in Google SketchUp 7.x before 7.1 M2, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted structures in a 3DS file, probably related to mesh.c.
According to http://secunia.com/advisories/38185/ this is fixed in version 2.0 Release Candidate 1, which is tagged in the upstream repo: http://code.google.com/p/lib3ds/source/browse/#svn%2Ftags%2Flib3ds-2.0.0-rc1 Maintainers, please provide an updated ebuild for this security issue.
@games: ping, need a bump.
Security bumped. Arches, please stabilize: =media-libs/lib3ds-2.0.0_rc1 Target arches: amd64 ppc ppc64 x86
Created attachment 358922 [details, diff] lib3ds-2.0.0_rc1.ebuild.patch =media-libs/lib3ds-2.0.0_rc1 fails compile here ~amd64 if not eutoreconf because of links in the examples i think. i attach the patch. Salud.
I couldn't reproduce that behavior here, could you please attach a full build.log?
Created attachment 358940 [details] build.log here it is. Salud.
amd64 stable
x86 stable
@Iván Atienza Thank you. Not knowing that I killed examples directory in all source autotool files to get it built :-).
ppc64 stable
ppc stable
GLSA drafted and ready for review. Maintainers, please drop the vulnerable version.
Maintainers are there any reasons we need to keep 1.3.0 around as it is still vulnerable?
Did anyone confirm that lib3ds-2 doesn't break any of the packages that use lib3ds?
@maintainers: can we clean lib3ds-1.3.0. This has been in cleanup mode for approximately 6 months. Will clean in 15 days if no response is given.
it's gone
Maintainer(s), Thank you for cleanup!
This issue was resolved and addressed in GLSA 201405-23 at http://security.gentoo.org/glsa/glsa-201405-23.xml by GLSA coordinator Sean Amoss (ackle).