| Summary: | liblzo or minilzo bundled within packages, affected by CVE-2014-4607 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Mageia Bug Squad <bugsquad> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | anssi.hannula, bersuit.vera, dmorganec, fundawang, mageia, n54, nanardon, oe, rverschelde, shlomif, zen25000 |
| Version: | 4 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/604237/ | ||
| Whiteboard: | MGA3TOO | ||
| Source RPM: | CVE: | ||
| Status comment: | |||
| Bug Depends on: | 13933, 13934, 13944, 13945, 13947, 13956, 13957, 13958, 13959, 13960, 14001, 14047 | ||
| Bug Blocks: | |||
|
Description
David Walser
2014-08-19 18:44:32 CEST
David Walser
2014-08-19 18:44:50 CEST
Depends on:
(none) =>
13933, 13934 I got a patch from upstream for Busybox. For minilzo, the patch Luc applied for krfb (kdenetwork4) in Mageia 3 also applied for libvncserver and remmina. It does not apply for bb, blender, distcc, dump, grub2, icecream, italc, mednafen, or x11vnc. CC'ing Nanar for bb, Funda for blender, Kamil for distcc and x11vnc, Barry for grub2, Anssi and Damien for icecream, Damien and Bersuit and dmorgan also for italc, Rémi for mednafen, and Shlomi also for distcc. CC:
(none) =>
anssi.hannula, bersuit.vera, dmorganec, fundawang, mageia, n54, nanardon, remi, shlomif, zen25000
David Walser
2014-08-19 19:40:00 CEST
Depends on:
(none) =>
13944
David Walser
2014-08-19 19:44:23 CEST
Depends on:
(none) =>
13945 Filed Bug 13944 for libvncserver and remmina. Filed Bug 13945 for busybox. Whiteboard:
(none) =>
MGA4TOO, MGA3TOO
Rémi Verschelde
2014-08-20 00:01:51 CEST
Depends on:
(none) =>
13947 Barry's patch for harbour works for blender and icecream (had to regenerate it on the mga3 versions). Those are now committed. Blender in Cauldron does not build though: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20140820171511.luigiwalser.valstar.23439/log/blender-2.71-2.mga5/build.0.20140820171603.log The patch from harbour also worked for italc (had to regenerate it for the mga3/mga4 version). I was also able to adapt the patch from harbour for grub2. Still no luck for bb, distcc, dump, or x11vnc.
David Walser
2014-08-20 20:36:01 CEST
Depends on:
(none) =>
13956
David Walser
2014-08-20 20:36:21 CEST
Depends on:
(none) =>
13957
David Walser
2014-08-20 20:36:34 CEST
Depends on:
(none) =>
13958
David Walser
2014-08-20 22:08:05 CEST
Depends on:
(none) =>
13959 Found a patch in Fedora for distcc. Filed Bug 13959 for distcc.
David Walser
2014-08-20 23:17:38 CEST
Depends on:
(none) =>
13960 x11vnc is buildable against the system libvncserver (thanks to configure options found in Fedora), so that's been added to Bug 13944. blender will still need to be fixed to build in Cauldron, but for mga3/mga4 I've pushed it to the build system and filed Bug 13960. That leaves us with just bb and dump to fix! bb is now dropped in Cauldron (and probably unlikely to be fixed in mga3/mga4). dump is the only remaining issue in Cauldron (besides blender).
David Walser
2014-08-28 15:51:36 CEST
Depends on:
(none) =>
14001 I bumped the bundled lzo-1.08 code to lzo-2.08 in dump. This needs extensive testing. Please test: dump-0.4b44-2.1.mga3, dump-0.4b44-3.1.mga4 and dump-0.4b44-4.mga5 Cheers. CC:
(none) =>
oe
David Walser
2014-09-03 14:55:53 CEST
Depends on:
(none) =>
14047 Thanks Oden! Bug 14047 filed for dump. All that's left to do in Cauldron is to get blender to build. blender-2.71-7.mga5 built in Cauldron (it wasn't easy!). Now all that's left for this bug is to validate the dump update, and there's also the bb package which is unlikely to be fixed. Version:
Cauldron =>
4 Ignoring bb; this is as fixed as it's going to be. Status:
NEW =>
RESOLVED |