Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 752408 (CVE-2019-19917, CVE-2019-19918) - app-text/lout: Multiple vulnerabilities (CVE-2019-{19917,19918})
Summary: app-text/lout: Multiple vulnerabilities (CVE-2019-{19917,19918})
Status: IN_PROGRESS
Alias: CVE-2019-19917, CVE-2019-19918
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.nongnu.org/archive/html...
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-03 04:37 UTC by Sam James
Modified: 2021-08-24 15:08 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-11-03 04:37:51 UTC
* CVE-2019-19917

Lout 3.40 has a buffer overflow in the StringQuotedWord() function in z39.c.

* CVE-2019-19918

Lout 3.40 has a heap-based buffer overflow in the srcnext() function in z02.c.
Comment 1 John Helmert III gentoo-dev Security 2021-01-23 22:14:08 UTC
No revdeps, m-n, seems dead upstream based on the email thread at $URL. CCing treecleaner.
Comment 2 James Cloos 2021-07-26 15:33:58 UTC
removing such a package over a triviality like this is most unethical.
Comment 3 John Helmert III gentoo-dev Security 2021-07-26 15:38:39 UTC
(In reply to James Cloos from comment #2)
> removing such a package over a triviality like this is most unethical.

Patches welcome!
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:25:31 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:41:56 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:05:59 UTC
Package list is empty or all packages have requested keywords.
Comment 7 Matt Turner gentoo-dev 2021-08-09 04:22:25 UTC
(In reply to James Cloos from comment #2)
> removing such a package over a triviality like this is most unethical.

That's not really an acceptable accusation, and you should apologize and take it back.

The package is unmaintained both upstream and in Gentoo. If you want to change one or both of those, please be our guest. Unfortunately we're not equipped to handle every piece of software ever with our finite resources. I'd expect that you know that given the amount of time you've been around Gentoo, FreeDesktop, and free software in general.
Comment 8 Larry the Git Cow gentoo-dev 2021-08-24 12:39:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6e5f6c2919ee7b524a94ba3164fcf3a07f3c158

commit a6e5f6c2919ee7b524a94ba3164fcf3a07f3c158
Author:     Jakov Smolic <jakov.smolic@sartura.hr>
AuthorDate: 2021-08-24 12:38:32 +0000
Commit:     David Seifert <soap@gentoo.org>
CommitDate: 2021-08-24 12:38:32 +0000

    app-text/lout: Remove last-rited package
    
    Closes: https://bugs.gentoo.org/715936
    Bug: https://bugs.gentoo.org/752408
    Signed-off-by: Jakov Smolic <jakov.smolic@sartura.hr>
    Signed-off-by: David Seifert <soap@gentoo.org>

 app-text/lout/Manifest                       |  1 -
 app-text/lout/files/lout-3.38-makefile.patch | 33 -----------
 app-text/lout/lout-3.40.ebuild               | 85 ----------------------------
 app-text/lout/metadata.xml                   |  8 ---
 profiles/package.mask                        |  5 --
 5 files changed, 132 deletions(-)