These packages bundle minilzo.c: bb blender distcc dump grub2 harbour icecream italc krfb libvncserver mednafen remmina x11vnc Busybox bundles lzo. There may be others, but those are the ones I'm aware of. We fixed CVE-2014-4607 in the system lzo in Bug 13655. We do not have a system minilzo. krfb has Bug 13933 filed for it. harbour has Bug 13934 filed for it. The rest are in progress... Reproducible: Steps to Reproduce:
Depends on: (none) => 13933, 13934
I got a patch from upstream for Busybox. For minilzo, the patch Luc applied for krfb (kdenetwork4) in Mageia 3 also applied for libvncserver and remmina. It does not apply for bb, blender, distcc, dump, grub2, icecream, italc, mednafen, or x11vnc.
CC'ing Nanar for bb, Funda for blender, Kamil for distcc and x11vnc, Barry for grub2, Anssi and Damien for icecream, Damien and Bersuit and dmorgan also for italc, Rémi for mednafen, and Shlomi also for distcc.
CC: (none) => anssi.hannula, bersuit.vera, dmorganec, fundawang, mageia, n54, nanardon, remi, shlomif, zen25000
Depends on: (none) => 13944
Depends on: (none) => 13945
Filed Bug 13944 for libvncserver and remmina. Filed Bug 13945 for busybox.
Whiteboard: (none) => MGA4TOO, MGA3TOO
Depends on: (none) => 13947
Filed Bug 13947 for mednafen.
Barry's patch for harbour works for blender and icecream (had to regenerate it on the mga3 versions). Those are now committed. Blender in Cauldron does not build though: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20140820171511.luigiwalser.valstar.23439/log/blender-2.71-2.mga5/build.0.20140820171603.log The patch from harbour also worked for italc (had to regenerate it for the mga3/mga4 version). I was also able to adapt the patch from harbour for grub2. Still no luck for bb, distcc, dump, or x11vnc.
Depends on: (none) => 13956
Depends on: (none) => 13957
Depends on: (none) => 13958
Filed Bug 13956 for icecream. Filed Bug 13957 for grub2. Filed Bug 13958 for italc.
Depends on: (none) => 13959
Found a patch in Fedora for distcc. Filed Bug 13959 for distcc.
Depends on: (none) => 13960
x11vnc is buildable against the system libvncserver (thanks to configure options found in Fedora), so that's been added to Bug 13944. blender will still need to be fixed to build in Cauldron, but for mga3/mga4 I've pushed it to the build system and filed Bug 13960. That leaves us with just bb and dump to fix!
bb is now dropped in Cauldron (and probably unlikely to be fixed in mga3/mga4). dump is the only remaining issue in Cauldron (besides blender).
Depends on: (none) => 14001
I bumped the bundled lzo-1.08 code to lzo-2.08 in dump. This needs extensive testing. Please test: dump-0.4b44-2.1.mga3, dump-0.4b44-3.1.mga4 and dump-0.4b44-4.mga5 Cheers.
CC: (none) => oe
Depends on: (none) => 14047
Thanks Oden! Bug 14047 filed for dump. All that's left to do in Cauldron is to get blender to build.
blender-2.71-7.mga5 built in Cauldron (it wasn't easy!). Now all that's left for this bug is to validate the dump update, and there's also the bb package which is unlikely to be fixed.
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Ignoring bb; this is as fixed as it's going to be.
Status: NEW => RESOLVEDResolution: (none) => FIXED