Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 588734 (CVE-2015-5186) - <sys-process/audit-2.4.4 : log terminal emulator escape sequences handling
Summary: <sys-process/audit-2.4.4 : log terminal emulator escape sequences handling
Status: RESOLVED FIXED
Alias: CVE-2015-5186
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://people.redhat.com/sgrubb/audi...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-13 06:35 UTC by Jeroen Roovers
Modified: 2017-01-16 02:58 UTC (History)
2 users (show)

See Also:
Package list:
=sys-process/audit-2.6.4
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers gentoo-dev 2016-07-13 06:35:49 UTC
The ChangeLog at the [URL] mentions for 2.4.4 (not in the tree):

- Fix CVE-2015-5186 Audit: log terminal emulator escape sequences handling

I am not sure if this is fixed in 2.4.3-r1, and if not this report should be reassigned to security@.
Comment 1 Jason Zaman gentoo-dev 2016-07-17 05:53:06 UTC
commit 916ff46bd38dfac4aa50f3f946eb63194381a18c
Author: Jason Zaman <perfinion@g.o>
Date:   Sun Jul 17 13:42:31 2016

    sys-process/audit: stable for alpha amd64 hppa ppc x86 (bug 588734)
    
    Package-Manager: portage-2.2.28

commit dca8025bffc3288ab37975c413a35e1dadc5d0b2
Author: Jason Zaman <perfinion@g.o>
Date:   Sun Jul 17 13:26:59 2016

    sys-process/audit: bump to 2.6.4 bug 588734
    
    Package-Manager: portage-2.2.28

commit a93ad00d13b2ac267bbcc4421beb7eb9a79481bd
Author: Jason Zaman <perfinion@g.o>
Date:   Sun Jul 17 13:22:05 2016

    sys-process/audit: bump to 2.4.4 bug 588734
    
    Package-Manager: portage-2.2.28
Comment 2 Jason Zaman gentoo-dev 2016-07-17 05:54:59 UTC
2.4.3-r1 does not have the fix
Stabilization is in bug 577770

2.4.4 has no changes to the ebuild, so i stabilized it for exactly the same arches as 2.4.3-r1. 2.6.4 I updated to eapi6 and will stabilize later
Comment 3 Jeroen Roovers gentoo-dev 2016-07-17 06:46:24 UTC
(In reply to Jason Zaman from comment #2)
> 2.4.3-r1 does not have the fix
> Stabilization is in bug 577770
> 
> 2.4.4 has no changes to the ebuild, so i stabilized it for exactly the same
> arches as 2.4.3-r1. 2.6.4 I updated to eapi6 and will stabilize later

You did what now?
Comment 4 Jeroen Roovers gentoo-dev 2016-07-17 06:53:15 UTC
I reverted that stabilisation attempt. Don't we test stuff anymore?

Meanwhile, 2.6.5 is out.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-14 13:56:06 UTC
@maintainer(s), can we call for stabilization yet?
Comment 6 Thomas Deutschmann gentoo-dev Security 2016-11-28 01:36:11 UTC
@ Arches,

please test and mark stabe: =sys-process/audit-2.6.4
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-29 10:41:27 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-11-29 10:43:50 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2016-11-30 19:33:31 UTC
arm stable
Comment 10 Tobias Klausmann gentoo-dev 2016-12-02 14:21:42 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2016-12-19 14:36:25 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-12-19 15:13:26 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-12-20 09:45:48 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-12-22 09:36:03 UTC
ppc64 stable
Comment 15 Jeroen Roovers gentoo-dev 2017-01-09 14:02:33 UTC
Stable for HPPA.
Comment 16 Thomas Deutschmann gentoo-dev Security 2017-01-09 18:00:21 UTC
GLSA Vote: No

@ Maintainer(s): Please cleanup <sys-process/audit-2.4.4 (probably <sys-process/audit-2.6.4 but security only require cleanup of <2.4.4).
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-01-16 02:58:37 UTC
tree is clean