From ${URL} : An out-of-bounds read flaw resulting in an infinite loop was found in pacman's (the Arch package manager) signature parser. References: http://seclists.org/oss-sec/2016/q2/526 https://lists.archlinux.org/pipermail/pacman-dev/2016-June/021148.html @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
update: this bug only causes DoS on x86, but since Arch Linux is no longer maintaining x86, and the patch was never applied ( at least till current source ), and there must be very specific conditions for this bug to create a vector attack. + Maintainer is no longer active and there is no recent ebuild (the last one uses EAPI 4) Maybe is time to considerate to last rite this package
Indeed. The current Gentoo version is from 2012, and upstream has moved forward a lot since then.
Fixed in tree with commit aa655378e457e47abd9c358df124e2bc754231f7: Author: Nils Freydank <holgersson@posteo.de> Date: Mon Aug 7 17:42:53 2017 +0200 sys-apps/pacman-4.x: Security cleanup wrt Gentoo bug #585940. Package-Manager: Portage-2.3.6, Repoman-2.3.3
Package got a proxy-maintainer (https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=12e57d184a39138ac3ee87cf3d47b683b6530873), removing treecleaners. @ Nils: But this package still looks vulnerable. I found https://lists.archlinux.org/pipermail/pacman-dev/2016-June/021148.html but I don't see this applied (https://git.archlinux.org/pacman.git/log/lib/libalpm/signing.c). I guess we need to contact upstream for clarification.
Fixed via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3cbbadd99e9e4cc8014b99d74fe76ab943bf0bb Repository is clean (via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=effecc045f78dabf595f56e9d289d4aa082757ca). All done.
