CVE-2012-3368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3368): Integer signedness error in attach.c in dtach 0.8 allows remote attackers to obtain sensitive information from daemon stack memory in opportunistic circumstances by reading application data after an improper connection-close request, as demonstrated by running an IRC client in dtach. Upstream bug: http://sourceforge.net/tracker/?func=detail&aid=3517812&group_id=36489&atid=417357 Proposed patch: http://sourceforge.net/tracker/download.php?group_id=36489&atid=417357&file_id=441195&aid=3517812
I will wait for progress on the upstream bug and/or redhat and then commit the patch.
+*dtach-0.8-r1 (07 Nov 2012) + + 07 Nov 2012; Justin Lecher <jlec@gentoo.org> +dtach-0.8-r1.ebuild, + +files/dtach-0.8-CVE-2012-3368.patch: + Backport fix for CVE-2012-3368, #426496 + How long do we need to wait for stabilization?
(In reply to comment #2) > > How long do we need to wait for stabilization? No need to wait on security bugs if the ebuild is ready. Arches, please test and mark stable =app-misc/dtach-0.8-r1
amd64 stable
x86 done.
stable ppc, closing
Thanks, everyone. GLSA vote: no.
+ 15 Nov 2012; Justin Lecher <jlec@gentoo.org> -dtach-0.8.ebuild: + Drop vulnerable version, #426496 +
NO too, closing.