From $URL : Can someone assign a CVE id for a buffer overflow in coreutils? Its the same code snippet (coreutils-i18n.patch) and it affects sort, uniq and join: https://bugzilla.novell.com/show_bug.cgi?id=798538 https://bugzilla.novell.com/show_bug.cgi?id=796243 https://bugzilla.novell.com/show_bug.cgi?id=798541 - Gentoo seems to apply 000_all_coreutils-i18n.patch.
we don't have i18n in 8.20
(In reply to comment #1) > we don't have i18n in 8.20 Does not mean is invalid.
(In reply to comment #2) of course it does. from the bug reports: The upstream version of coreutils does not have this problem (doesn't crash). and none of those examples crash for me. we don't track crashes in patches we don't carry.
(In reply to comment #3) > (In reply to comment #2) > > of course it does. from the bug reports: > The upstream version of coreutils does not have this problem (doesn't > crash). > > and none of those examples crash for me. > > we don't track crashes in patches we don't carry. The security team, needs to send an advisory if we had the vulnerable code in the tree and you need to punt the vulnerable ebuilds. arcadia coreutils # grep -R i18n . ./coreutils-8.7.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.18.ebuild: use_if_iuse unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.20.ebuild: use_if_iuse unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.8.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.12.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./ChangeLog: Include i18n patch from Fedora #328827 by Arago. ./ChangeLog: Tweak tests in i18n patch #317565 by T Chan. ./ChangeLog: Add i18n patch from Fedora and some fixes from upstream for #210133. ./ChangeLog: Update the i18n patch to fix cut again as well as expand #104286 by peteru. ./ChangeLog: Update i18n patch to the redhat version #87429 and include the tty utf8 fix ./ChangeLog: we're using openi18n.org's patches for coreutils, which should sort (no pun ./ChangeLog: Update version. I ported the ACL patches, except for the i18n one, as it gets ./coreutils-8.17.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.9.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.20-r1.ebuild: use_if_iuse unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.5.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.19.ebuild: use_if_iuse unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.10.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.14.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.20-r2.ebuild: use_if_iuse unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.5-r1.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.11.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.13.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.15.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch ./coreutils-8.16.ebuild: use unicode || rm -f "${WORKDIR}"/patch/000_all_coreutils-i18n.patch I see anything related to i18n from fedora.
(In reply to comment #4) well, you didn't really read the grep output. simply looking for the string "i18n" doesn't tell you anything. 8.5 was the last version that actually included the i18n patch. GLSAs for that version (or older) is a waste of time imo especially since there have been a bunch of other random crash bugs in coreutils we haven't done anything about. just look at the NEWS file.
(In reply to comment #5) > (In reply to comment #4) > > well, you didn't really read the grep output. simply looking for the string > "i18n" doesn't tell you anything. > > 8.5 was the last version that actually included the i18n patch. Then as I said the bug is valid. @security, please file glsa request or add to existing.
