From v0.31.1 changelog:
2017-01-08: icoutils 0.31.1 released.
Colin Watson, Debian bug https://bugs.debian.org/850017
Martin Gieseking, Fedora https://bugzilla.redhat.com/show_bug.cgi?id=1249276
@ Maintainer(s): Please bump to >=media-gfx/icoutils-0.31.1 and let us know when you are ready to stabilize.
> It turns out that this is not enough, so upstream has issued
> Could you please assign a further CVE for this follow up fix?
> Furthermore I would like to ask if the following two commits from upstream,
> can have as well an identifier assigned:
Yes, but because these are immediately consecutive commits, the CVE
mapping may seem unusual.
Use CVE-2017-5332 for all of 1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
and also the index correction in
1a108713ac26215c7568353f6e02e727e6d4b24a. In other words, the change
from "entries[c]" to "entries[c-skipped]" in
1a108713ac26215c7568353f6e02e727e6d4b24a cannot have a new CVE ID
because the code was never "shipped" with "entries[c]" in use. There
aren't two independent problems related to establishing a maximum
allowable value of the size variable.
Use CVE-2017-5333 for the separate vulnerability fixed by the
introduction of the "size >= sizeof(uint16_t)*2" test in
Further issues found in 0.31.1 incoming
*** Bug 610714 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s):
Author: Thomas Deutschmann <email@example.com>
AuthorDate: 2017-10-29 17:39:39 +0000
Commit: Thomas Deutschmann <firstname.lastname@example.org>
CommitDate: 2017-10-29 17:42:14 +0000
media-gfx/icoutils: Bump to v0.32.0
Thanks to Marty Plummer for the musl build fix (bug #631360).
Package-Manager: Portage-2.3.13, Repoman-2.3.4
media-gfx/icoutils/Manifest | 1 +
media-gfx/icoutils/icoutils-0.32.0.ebuild | 49 +++++++++++++++++++++++++++++++
2 files changed, 50 insertions(+)}
please test and mark stable: =media-gfx/icoutils-0.32.0
Stable on amd64
All supported arches stabilized. @maintainer(s), proceed to cleanup, thank you.
Gentoo Security Padawan
This issue was resolved and addressed in
GLSA 201801-12 at https://security.gentoo.org/glsa/201801-12
by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for cleanup.
@ Maintainer(s): Please cleanup and drop <media-gfx/icoutils-0.32.0!
tree is clean: