Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 646348 (CVE-2017-17531) - <dev-util/global-6.6.4: gozilla.c in GNU GLOBAL before 6.6.1 does not validate strings (CVE-2017-17531)
Summary: <dev-util/global-6.6.4: gozilla.c in GNU GLOBAL before 6.6.1 does not validat...
Status: RESOLVED FIXED
Alias: CVE-2017-17531
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://lists.gnu.org/archive/html/inf...
Whiteboard: C2 [glsa+ cve]
Keywords:
Depends on: 701376
Blocks:
  Show dependency tree
 
Reported: 2018-02-01 19:26 UTC by Matthias Dahl
Modified: 2020-09-09 16:02 UTC (History)
3 users (show)

See Also:
Package list:
dev-util/global-6.6.4
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Dahl 2018-02-01 19:26:56 UTC
v6.6.0 was released on 12 Dec 2017:
http://lists.gnu.org/archive/html/info-global/2017-12/msg00000.html

v6.6.1 was released on 16 Dec 2017 as a security fix release (CVE-2017-17531) which affects all versions prior to this one:
http://lists.gnu.org/archive/html/info-global/2017-12/msg00001.html

Bumping the ebuild, in this case, is enough.
Comment 1 Matthias Dahl 2018-05-03 08:12:43 UTC
v6.6.2 was released on 9 Feb 2018:
http://lists.gnu.org/archive/html/info-global/2018-02/msg00000.html

Considering how long v6.6.x has been out and that this is a security issue, it would be nice to get this version bumped in the tree asap.
Comment 2 D'juan McDonald (domhnall) 2018-05-07 05:46:29 UTC
@security, as there is no fixed version available in tree; changing summary and setting perceived Whiteboard based off vulnerability description. 


Gentoo Security
Jmbailey/mbailey_j
Comment 3 Sam James archtester gentoo-dev Security 2020-03-19 01:39:41 UTC
@maintainer(s), please create an appropriate ebuild, and call for stabilisation when ready.
Comment 4 Sam James archtester gentoo-dev Security 2020-03-19 01:40:49 UTC
(In reply to sam_c (Security Padawan) from comment #3)
> @maintainer(s), please create an appropriate ebuild, and call for
> stabilisation when ready.

sorry, I meant:
@maintainer(s), please advise if you are ready for stabilisation or call for stabilisation yourself.
Comment 5 Sam James archtester gentoo-dev Security 2020-07-30 01:12:41 UTC
Been in tree long enough. Will stable unless any objections.
Comment 6 Sergei Trofimovich gentoo-dev 2020-08-01 14:55:32 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-08-05 13:54:34 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-08-05 14:19:13 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 9 Sam James archtester gentoo-dev Security 2020-08-08 02:36:14 UTC
GLSA vote: no
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2020-08-08 04:24:30 UTC
This issue was resolved and addressed in
 GLSA 202008-02 at https://security.gentoo.org/glsa/202008-02
by GLSA coordinator Sam James (sam_c).
Comment 11 Sam James archtester gentoo-dev Security 2020-08-08 04:25:39 UTC
Reopening for cleanup.
Comment 12 Larry the Git Cow gentoo-dev 2020-09-09 16:01:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=76c1cf9aa7fd7da4311612199fd09ed9caff0290

commit 76c1cf9aa7fd7da4311612199fd09ed9caff0290
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-09-09 16:01:36 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-09-09 16:01:36 +0000

    dev-util/global: security cleanup
    
    Bug: https://bugs.gentoo.org/646348
    Package-Manager: Portage-3.0.4, Repoman-3.0.1
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-util/global/Manifest            |  2 -
 dev-util/global/global-6.3.1.ebuild | 81 -------------------------------
 dev-util/global/global-6.5.7.ebuild | 96 -------------------------------------
 3 files changed, 179 deletions(-)