Patience is strongly advised... However, a little note regarding mozilla overlay: unless that's a little autoconf 2.13 quirk, shouldn't the line in the ebuild go: mozconfig_annotate '' --build="${CBUILD:-${CHOST}}" ? Also, perhaps it's a change in the eclass not yet in the main tree, but the ebuild started to produce following QA warnings: * QA Notice: Unrecognized configure options: * * configure: WARNING: unrecognized options: --enable-application, --enab le-optimize, --with-system-jpeg, --with-system-zlib, --enable-pango, --enable- svg, --enable-system-cairo, --disable-installer, --disable-pedantic, --disable -updater, --disable-strip, --disable-strip-libs, --disable-install-strip, --en able-single-profile, --disable-profilesharing, --disable-profilelocking, --ena ble-elf-dynstr-gc, --enable-default-toolkit, --enable-official-branding, --ena ble-ogg, --enable-wave, --enable-dbus, --disable-tests, --disable-debugger-inf o-modules, --enable-ipc, --enable-libnotify, --enable-startup-notification, -- enable-system-sqlite, --with-sqlite-prefix, --disable-necko-wifi, --enable-webm, --with-system-libvpx, --enable-tracejit, --with-system-nspr, --with-nspr-prefix, --with-system-nss, --with-nss-prefix, --with-system-libevent, --enable-system-hunspell, --disable-gnomevfs, --disable-gnomeui, --enable-gio, --disable-crashreporter, --enable-storage, --enable-places, --enable-places_bookmarks, --enable-oji, --enable-mathml, --disable-mochitest, --disable-gconf, --disable-mailnews, --enable-canvas, --enable-safe-browsing, --with-system-png, --enable-system-ffi, --with-default-mozilla-five-home, --enable-gstreamer, --enable-system-sqlite, --enable-methodjit, --enable-tracejit, --enable-extensions * configure: WARNING: unrecognized options: --enable-application, --enable-optimize, --with-system-jpeg, --with-system-zlib, --enable-pango, --enable-svg, --enable-system-cairo, --disable-installer, --disable-pedantic, --disable-updater, --disable-strip, --disable-strip-libs, --disable-install-strip, --enable-single-profile, --disable-profilesharing, --disable-profilelocking, --enable-elf-dynstr-gc, --enable-default-toolkit, --enable-official-branding, --enable-ogg, --enable-wave, --enable-dbus, --disable-tests, --disable-debugger-info-modules, --enable-ipc, --enable-libnotify, --enable-startup-notification, --enable-system-sqlite, --with-sqlite-prefix, --disable-necko-wifi, --enable-webm, --with-system-libvpx, --enable-tracejit, --with-system-nspr, --with-nspr-prefix, --with-system-nss, --with-nss-prefix, --with-system-libevent, --enable-system-hunspell, --disable-gnomevfs, --disable-gnomeui, --enable-gio, --disable-crashreporter, --enable-storage, --enable-places, --enable-places_bookmarks, --enable-oji, --enable-mathml, --disable-mochitest, --disable-gconf, --disable-mailnews, --enable-canvas, --enable-safe-browsing, --with-system-png, --enable-system-ffi, --with-default-mozilla-five-home, --enable-gstreamer, --enable-system-sqlite, --enable-methodjit, --enable-tracejit, --enable-extensions P.S.: while it wont matter for ~arch (and if stabilization is fast enough, it won't matter much for stable either), but media-libs/libpng dep needs to be bumped to 1.5.11.
Upstream security announcements are at $URL. MFSA to CVE line-up: MFSA 2012-74 CVE-2012-{3982,3983} MFSA 2012-75 CVE-2012-{3984,5354} MFSA 2012-76 CVE-2012-3985 MFSA 2012-77 CVE-2012-3986 MFSA 2012-78 CVE-2012-3987 MFSA 2012-79 CVE-2012-3988 MFSA 2012-80 CVE-2012-3989 MFSA 2012-81 CVE-2012-3991 MFSA 2012-82 CVE-2012-3994 MFSA 2012-83 CVE-2012-{3993,4184} MFSA 2012-84 CVE-2012-3992 MFSA 2012-85 CVE-2012-{3995,4179,4180,4181,4182,4183} MFSA 2012-86 CVE-2012-{4185,4186,4187,4188} MFSA 2012-87 CVE-2012-3990
CVE-2012-5354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5354): Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly handle navigation away from a web page that has multiple menus of SELECT elements active, which allows remote attackers to conduct clickjacking attacks via vectors involving an XPI file, the window.open method, and the Geolocation API, a different vulnerability than CVE-2012-3984. CVE-2012-4188 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4188): Heap-based buffer overflow in the Convolve3x3 function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2012-4187 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4187): Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly manage a certain insPos variable, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and assertion failure) via unspecified vectors. CVE-2012-4186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4186): Heap-based buffer overflow in the nsWaveReader::DecodeAudioData function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2012-4185 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4185): Buffer overflow in the nsCharTraits::length function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2012-4184 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4184): The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not prevent access to properties of a prototype for a standard class, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site. CVE-2012-4183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4183): Use-after-free vulnerability in the DOMSVGTests::GetRequiredFeatures function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2012-4182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4182): Use-after-free vulnerability in the nsTextEditRules::WillInsert function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2012-4181 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4181): Use-after-free vulnerability in the nsSMILAnimationController::DoSample function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2012-4180 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4180): Heap-based buffer overflow in the nsHTMLEditor::IsPrevCharInNodeWhitespace function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code via unspecified vectors. CVE-2012-4179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4179): Use-after-free vulnerability in the nsHTMLCSSUtils::CreateCSSPropertyTxn function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. CVE-2012-3995 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3995): The IsCSSWordSpacingSpace function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors. CVE-2012-3994 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3994): Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allow remote attackers to conduct cross-site scripting (XSS) attacks via a binary plugin that uses Object.defineProperty to shadow the top object, and leverages the relationship between top.location and the location property. CVE-2012-3993 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3993): The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not properly interact with failures of InstallTrigger methods, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site, related to an "XrayWrapper pollution" issue. CVE-2012-3992 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3992): Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly manage history data, which allows remote attackers to conduct cross-site scripting (XSS) attacks or obtain sensitive POST content via vectors involving a location.hash write operation and history navigation that triggers the loading of a URL into the history object. CVE-2012-3991 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3991): Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly restrict JSAPI access to the GetProperty function, which allows remote attackers to bypass the Same Origin Policy and possibly have unspecified other impact via a crafted web site. CVE-2012-3990 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3990): Use-after-free vulnerability in the IME State Manager implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute arbitrary code via unspecified vectors, related to the nsIContent::GetNameSpaceID function. CVE-2012-3989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3989): Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly perform a cast of an unspecified variable during use of the instanceof operator on a JavaScript object, which allows remote attackers to execute arbitrary code or cause a denial of service (assertion failure) via a crafted web site. CVE-2012-3988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3988): Use-after-free vulnerability in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 might allow user-assisted remote attackers to execute arbitrary code via vectors involving use of mozRequestFullScreen to enter full-screen mode, and use of the history.back method for backwards history navigation. CVE-2012-3987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3987): Mozilla Firefox before 16.0 on Android assigns chrome privileges to Reader Mode pages, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site. CVE-2012-3986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3986): Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly restrict calls to DOMWindowUtils (aka nsDOMWindowUtils) methods, which allows remote attackers to bypass intended access restrictions via crafted JavaScript code. CVE-2012-3985 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3985): Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly implement the HTML5 Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging initial-origin access after document.domain has been set. CVE-2012-3984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3984): Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly handle navigation away from a web page that has a SELECT element's menu active, which allows remote attackers to spoof page content via vectors involving absolute positioning and scrolling. CVE-2012-3983 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3983): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2012-3982 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3982): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
*** Bug 438078 has been marked as a duplicate of this bug. ***
CVE-2012-4193 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4193): Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before 2.13.1 omit a security check in the defaultValue function during the unwrapping of security wrappers, which allows remote attackers to bypass the Same Origin Policy and read the properties of a Location object, or execute arbitrary JavaScript code, via a crafted web site. CVE-2012-4192 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4192): Mozilla Firefox 16.0, Thunderbird 16.0, and SeaMonkey 2.13 allow remote attackers to bypass the Same Origin Policy and read the properties of a Location object via a crafted web site, a related issue to CVE-2012-4193. CVE-2012-4191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4191): The mozilla::net::FailDelayManager::Lookup function in the WebSockets implementation in Mozilla Firefox before 16.0.1, Thunderbird before 16.0.1, and SeaMonkey before 2.13.1 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. CVE-2012-4190 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4190): The FT2FontEntry::CreateFontEntry function in FreeType, as used in the Android build of Mozilla Firefox before 16.0.1 on CyanogenMod 10, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.
*** Bug 438528 has been marked as a duplicate of this bug. ***
Is there any reason why both Thunderbird and Firefox have not been up'ed to their respective current version which have all known CVEs fixed? (not nagging, just a serious question) IMHO this should really have been done by now.
(In reply to comment #7) > Is there any reason why both Thunderbird and Firefox have not been up'ed to > their respective current version which have all known CVEs fixed? (not > nagging, just a serious question) IMHO this should really have been done by > now. I am currently away from my computer for next few weeks, only esr are marked stable and need to be bumped first and for most. I am sure someone from the herd will get these bumped just as soon as possible.
Tick, tock... Even ESR haven't been bumped yet.
For the impatient ones: Simply renaming the 10.0.7 ebuild to 10.0.9 worked for me.
Well... this is kind of worrying that neither firefox nor thunderbird have been bumped yet. Actually that is all there is to it: bumping. The patches apply cleanly and both work just fine and stable. And the vulnerabilities in all prior versions are very worrisome. [OFF-TOPIC] If there is a lack of manpower with the mozilla herd, I'd gladly join and help out. I was in the process of becoming a gentoo dev several (!) month back but had to refocus on different things in my life. Since I'm a self-employed computer scientist, my time is somewhat limited but since not too many releases happen and the time required is manageable and I've been using Gentoo for longer than I can remember and know my way around ebuilds and the system, I have no problem taking both quizzes and getting my hands dirty [no more 'ands' :P]. :-) [/OFF-TOPIC]
All the -bin Mozilla packages have been bumped. I'm not bumping the source packages because i've never worked on them and i'd rather not test them with my current hardware setup.
Can we at least get the 16.0.1 for source packages out masked for testing?
(In reply to comment #13) > Can we at least get the 16.0.1 for source packages out masked for testing? Not from me, sorry. Maybe another member of the Gentoo Mozilla team will pop in and do it. If I was to bump any of the source packages, i'd bump the ESR versions as at least I have confirmation that they work with no ebuild modifications and i know they'll have no different dependencies.
I would test, but I have a slow internet connection and can't really download all those XPIs for the manifest so Portage doesn't complain.
(In reply to comment #15) > I would test, but I have a slow internet connection and can't really > download all those XPIs for the manifest so Portage doesn't complain. (This is kind of off-topic for the bug). Just remove all the locales from the top bit of the ebuild. The fact that all of them exist, THAT I have no problem testing.
Like I said earlier, all patches apply cleanly and everything works very stable. I had a look over the patches and none are too intrusive, even though I have some initial doubts about the jmalloc one... but that is a different story. If you take the thunderbird and firefox beta ebuilds from mozilla overlay, bump them to 16.0.1 and the rest is smooth sailing... at least in this case. It should be noted: I am only talking about the non-ESR releases here and I've not checked if they bumped any of the dependencies to a higher version. But that can be done rather quickly before bumping the ebuilds. Also, I tested everything on a up2date ~amd64 system.
The bumps will happen today, I have access to my machine remotely. I will try to complete the bumps in next few hours but connection is slow as hell right now.
Security team feel free to bring in the archs, we are going with firefox/thunderbird{-bin}-10.0.9 seamonkey{-bin}-2.13
(In reply to comment #19) > Security team feel free to bring in the archs, we are going with > firefox/thunderbird{-bin}-10.0.9 seamonkey{-bin}-2.13 Thanks, Jory! Arches, please test and mark stable: =www-client/firefox-10.0.9 Target keywords : "alpha amd64 arm ia64 ppc ppc64 x86" =www-client/firefox-bin-10.0.9 Target keywords : "amd64 x86" =dev-libs/nspr-4.9.2 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" (amd64, hppa, and x86 are already stable) =dev-libs/nss-3.13.6 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" (amd64, hppa, and x86 are already stable) =mail-client/thunderbird-10.0.9 Target keywords : "amd64 ppc ppc64 x86" =mail-client/thunderbird-bin-10.0.9 Target keywords : "amd64 x86" =www-client/seamonkey-2.13.1 Target keywords : "amd64 arm ppc ppc64 x86" =www-client/seamonkey-bin-2.13.1 Target keywords : "amd64 x86" Arches, we are already past the target delay so please stabilize as soon as possible.
mail-client/thunderbird-16.0.1, www-client/firefox-16.0.1, www-client/seamonkey-2.13.1 have apparently been put in (bump from last unstable). Thanks!
amd64 stable
About x86. Have tried emerging www-client/firefox-10.0.9 on the (as BINHOST) emerge --info Portage 2.1.11.9 (default/linux/x86/10.0/desktop/kde, gcc-4.5.4, glibc-2.15-r3, 3.4.9-gentoo i686) ================================================================= System uname: Linux-3.4.9-gentoo-i686-Intel-R-_Core-TM-_i7-3930K_CPU_@_3.20GHz-with-gentoo-2.1 Timestamp of tree: Sun, 28 Oct 2012 14:15:01 +0000 app-shells/bash: 4.2_p37 dev-lang/python: 2.7.3-r2 dev-util/cmake: 2.8.9 dev-util/pkgconfig: 0.27.1 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.11.6 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.4 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=core2 -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage-distfiles" FCFLAGS="-O2 -march=i686 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news nodoc noinfo noman parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -march=i686 -pipe" GENTOO_MIRRORS="ftp://gentoo.bloodhost.ru/ ftp://mirror.yandex.ru/gentoo-distfiles/" LANG="ru_RU.UTF8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="ru en" MAKEOPTS="-j13" PKGDIR="/usr/portage-local/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://gentoo.bloodhost.ru/gentoo-portage" USE="X a52 aac acl acpi bluetooth bluray branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cxx dbus declarative device-mapper dirac dri dts dvb dvd dvdr emboss encode exif fam firefox flac fmpeg fortran gif gnutls gpm gtk iconv icu idn ios ipod jpeg jpeg2k kde kipi lcms libass libnotify libsamplerate lzma mad matroska mms mmx mng modules mp3 mp4 mpeg mtp mudflap musepack ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf phonon plasma png policykit ppds pppd pulseaudio qt3support qt4 readline schroedinger session speex sse sse2 sse3 ssl ssse3 startup-notification svg taglib theora threads tiff truetype udev udisks unicode upower usb v4l vlc vorbis wavpack wxwidgets x264 x86 xcb xcomposite xinerama xml xscreensaver xv xvid zlib" ALSA_CARDS="hda-intel usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="caps lvm" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="ru en" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon r600" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON and after that it successfully run (acid3 test and random youtube video) on emerge --info Portage 2.1.11.9 (default/linux/x86/10.0/desktop/kde, gcc-4.5.4, glibc-2.15-r3, 3.4.9-gentoo i686) ================================================================= System uname: Linux-3.4.9-gentoo-i686-Intel-R-_Core-TM-2_Duo_CPU_T5450_@_1.66GHz-with-gentoo-2.1 Timestamp of tree: Sun, 28 Oct 2012 10:45:01 +0000 app-shells/bash: 4.2_p37 dev-lang/python: 2.7.3-r2 sys-apps/baselayout: 2.1-r1 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.4 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.4 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=core2 -O2 -pipe -fomit-frame-pointer" DISTDIR="/home/portage/distfiles" FCFLAGS="-O2 -march=i686 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news nodoc noinfo noman parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -march=i686 -pipe" GENTOO_MIRRORS="ftp://gentoo.bloodhost.ru/ ftp://mirror.yandex.ru/gentoo-distfiles/" LANG="ru_RU.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="ru en" MAKEOPTS="-j3" PKGDIR="/home/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" USE="X a52 aac acl acpi bluetooth bluray branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cxx dbus declarative device-mapper dirac dri dts dvb dvd dvdr emboss encode exif fam firefox flac fmpeg fortran gif gnutls gpm gtk iconv icu idn ios ipod jpeg jpeg2k kde kipi lcms libass libnotify libsamplerate lzma mad matroska mms mmx mng modules mp3 mp4 mpeg mtp mudflap musepack ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf phonon plasma png policykit ppds pppd pulseaudio qt3support qt4 readline schroedinger session speex sse sse2 sse3 ssl ssse3 startup-notification svg taglib theora threads tiff truetype udev udisks unicode upower usb v4l vlc vorbis wavpack wxwidgets x264 x86 xcb xcomposite xinerama xml xscreensaver xv xvid zlib" ALSA_CARDS="hda-intel usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="caps lvm" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="ru en" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon r600" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
@ alpha, arm, ia64, ppc64, ppc, sparc, x86: please continue in bug 439960
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).