Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 487688 (CVE-2013-4412) - <x11-misc/slim-1.3.5-r4 : potential null pointer deference (CVE-2013-4412)
Summary: <x11-misc/slim-1.3.5-r4 : potential null pointer deference (CVE-2013-4412)
Status: RESOLVED FIXED
Alias: CVE-2013-4412
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 488388
Blocks:
  Show dependency tree
 
Reported: 2013-10-11 19:23 UTC by Agostino Sarubbo
Modified: 2013-12-18 07:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-11 19:23:36 UTC
From ${URL} :

Slim 1.3.6 fixes a security flaw related to a potential NULL ptr.
dereference when using crypt() from glibc 2.17+ (eglibc 2.17+).
Without the fix, malformed or unsupported salts crash the login
daemon.

Upstream fix: http://git.berlios.de/cgi-bin/cgit.cgi/slim/commit/?id=fbdfae3b406b1bb6f4e5e440e79b9b8bb8f071fb



@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2013-10-12 13:28:44 UTC
I dropped HPPA keywords on the older versions.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2013-10-12 13:29:00 UTC
Oops, wrong bug.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2013-10-12 14:51:59 UTC
(In reply to Jeroen Roovers from comment #2)
> Oops, wrong bug.

Resetting back to what it was.
Comment 4 Ian Stakenvicius (RETIRED) gentoo-dev 2013-10-17 14:05:19 UTC
New ebuild is in the tree.  

Given the amount of patchwork I had to do in the build system, I don't have as much confidence in this version as I've had in the past; if stabilization can wait 30 days that would be preferable, just to give it more testing time in the field.
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-17 15:48:05 UTC
(In reply to Ian Stakenvicius from comment #4)
> New ebuild is in the tree.  
> 
> Given the amount of patchwork I had to do in the build system, I don't have
> as much confidence in this version as I've had in the past; if stabilization
> can wait 30 days that would be preferable, just to give it more testing time
> in the field.

To comply with our preferred 20 days of delay for an issue of this severity, I'd go for 15 days here max.

For the future, to give users a clean upgrade path, security bumps should be as straight-forward as possible, so fixing other (build system?) issues that require more extensive testing should be done in a another revision of the package.
Comment 6 Ian Stakenvicius (RETIRED) gentoo-dev 2013-10-17 15:52:10 UTC
(In reply to Alex Legler from comment #5)
> (In reply to Ian Stakenvicius from comment #4)
> > New ebuild is in the tree.  
> > 
> > Given the amount of patchwork I had to do in the build system, I don't have
> > as much confidence in this version as I've had in the past; if stabilization
> > can wait 30 days that would be preferable, just to give it more testing time
> > in the field.
> 
> To comply with our preferred 20 days of delay for an issue of this severity,
> I'd go for 15 days here max.
> 
> For the future, to give users a clean upgrade path, security bumps should be
> as straight-forward as possible, so fixing other (build system?) issues that
> require more extensive testing should be done in a another revision of the
> package.

I agree.  The issue here is that upstream changed around a fair bit of stuff between this new version and the previous one, and to be honest I have no idea how they could have released it in the state they did because as far as I could tell it just plain wouldn't build.  From inspecting the code and testing locally, it seems like everything will still work fine, but this general lack of care by upstream this time around reduces my confidence that there aren't other hidden issues.

15 days should be fine, though.  Thanks!
Comment 7 Ian Stakenvicius (RETIRED) gentoo-dev 2013-10-22 14:57:27 UTC
Given the other issues with slim-1.3.6, and chithead pointing out that the fix is actually a very simple backport, I decided to backport it and revbump slim-1.3.5.

CC'ing arches to stabilize immediately:

=x11-misc/slim-1.3.5-r4 : KEYWORDS="amd64 arm ppc ppc64 sparc x86"
Comment 8 Agostino Sarubbo gentoo-dev 2013-10-25 10:51:13 UTC
amd64/ppc/ppc64/x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-12-17 15:02:51 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-17 17:23:17 UTC
GLSA vote: no.
Comment 11 Ian Stakenvicius (RETIRED) gentoo-dev 2013-12-17 17:26:52 UTC
Cleanup complete.
Comment 12 Sergey Popov gentoo-dev 2013-12-18 07:44:40 UTC
Thanks for your work

GLSA vote: no

Closing as noglsa