Please see URL for full details: "During the security assessment of a firmware binary a number of NULL pointer dereference bugs were found caused by newlib-nano code. It turns out that newlib-nano was part of the "GNU ARM Embedded Toolchain" that the chip manufacturer (Microchip/Atmel) delivered for application development purposes. newlib-nano inherits code from the newlib project, which is a C library intended for use on embedded systems. All NULL pointer dereference bugs identified in newlib-nano were inherited by newlib code and therefore CENSUS reported the respective vulnerabilities to the upstream project. Users of the newlib library are advised to update to version 3.3.0 make sure to build the library sources with the newlib-reent-check-verify 'configure' option enabled." This option is enabled for newlib-3.3.0.
@maintainer(s), please advise if ready for stabilisation, or call yourself.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae8fe4521b047d71437f98218ff595715f41cfc9 commit ae8fe4521b047d71437f98218ff595715f41cfc9 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-03-31 07:02:28 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-03-31 07:02:28 +0000 sys-libs/newlib: drop old, bug #713284 Bug: https://bugs.gentoo.org/713284 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> sys-libs/newlib/Manifest | 3 - sys-libs/newlib/newlib-2.2.0.ebuild | 81 --------------------- sys-libs/newlib/newlib-2.5.0.ebuild | 139 ----------------------------------- sys-libs/newlib/newlib-3.1.0.ebuild | 141 ------------------------------------ 4 files changed, 364 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed3befc9560963f41c7c8cc2c215c3ff0d8b4355 commit ed3befc9560963f41c7c8cc2c215c3ff0d8b4355 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-03-31 07:01:34 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-03-31 07:01:34 +0000 sys-libs/newlib: drop stable keywords, bug #713284 The package is only used to bootstrap embedded cross-compilers. Stable keywords don't make much sense. Let users manage keywords themselves. Bug: https://bugs.gentoo.org/713284 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> sys-libs/newlib/newlib-2.2.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Cleanup was done and stable keywords were dropped.
I just realised: 3.1.0 is still in tree. That should be dropped too, if we can.
3.1.0 had to be reinstated for bug #717610
(In reply to Sergei Trofimovich from comment #5) > 3.1.0 had to be reinstated for bug #717610 Ah, thanks.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7d448666bf391567ce16b2c394edbb753ad0386 commit e7d448666bf391567ce16b2c394edbb753ad0386 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-05-17 09:33:19 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-05-17 09:33:35 +0000 sys-libs/newlib: drop old, bug #713284 Bug: https://bugs.gentoo.org/713284 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> sys-libs/newlib/Manifest | 1 - sys-libs/newlib/newlib-3.1.0.ebuild | 141 ------------------------------------ 2 files changed, 142 deletions(-)
