Merge commit '374d0d9fa63a3f974ca84f27375c342d75caaf3c'

author: Repository mirror & CI <repomirrorci@gentoo.org> 2018-11-27 02:24:23 +0000
committer: Repository mirror & CI <repomirrorci@gentoo.org> 2018-11-27 02:24:23 +0000
commit: 177502ae4dcce017cbf17cdc572a0ad289cd4140 (patch)
tree: 169d1fcb66aa436d698fde1a80b5268f14df9548 /metadata/glsa
parent: 2018-11-26 22:44:55 UTC (diff)
parent: [ GLSA 201811-20 ] spice-gtk: Remote code execution (diff)
download: gentoo-177502ae4dcce017cbf17cdc572a0ad289cd4140.tar.gz
gentoo-177502ae4dcce017cbf17cdc572a0ad289cd4140.tar.bz2
gentoo-177502ae4dcce017cbf17cdc572a0ad289cd4140.zip
4 files changed, 234 insertions, 0 deletions
diff --git a/metadata/glsa/glsa-201811-17.xml b/metadata/glsa/glsa-201811-17.xml
new file mode 100644
index 000000000000..252a12c83dba
--- /dev/null
+++ b/metadata/glsa/glsa-201811-17.xml
@@ -0,0 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201811-17">
+  <title>Binutils: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Binutils, the worst of
+    which may allow remote attackers to cause a Denial of Service condition.
+  </synopsis>
+  <product type="ebuild">binutils</product>
+  <announced>2018-11-27</announced>
+  <revised count="1">2018-11-27</revised>
+  <bug>634196</bug>
+  <bug>637642</bug>
+  <bug>639692</bug>
+  <bug>639768</bug>
+  <bug>647798</bug>
+  <bug>649690</bug>
+  <access>remote</access>
+  <affected>
+    <package name="sys-devel/binutils" auto="yes" arch="*">
+      <unaffected range="ge">2.30-r2</unaffected>
+      <vulnerable range="lt">2.30-r2</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>The GNU Binutils are a collection of tools to create, modify and analyse
+      binary files. Many of the files use BFD, the Binary File Descriptor
+      library, to do low-level manipulation.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Binutils. Please review
+      the referenced CVE identifiers for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing a user to compile/execute a specially
+      crafted ELF, object, PE, or binary file, could possibly cause a Denial of
+      Service condition or have other unspecified impacts.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Binutils users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=sys-devel/binutils-2.30-r2"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-14933">CVE-2017-14933</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16826">CVE-2017-16826</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16827">CVE-2017-16827</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16828">CVE-2017-16828</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16829">CVE-2017-16829</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16830">CVE-2017-16830</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16831">CVE-2017-16831</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16832">CVE-2017-16832</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17080">CVE-2017-17080</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17121">CVE-2017-17121</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17122">CVE-2017-17122</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17123">CVE-2017-17123</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17124">CVE-2017-17124</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17125">CVE-2017-17125</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-17126">CVE-2017-17126</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6543">CVE-2018-6543</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6759">CVE-2018-6759</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-6872">CVE-2018-6872</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7208">CVE-2018-7208</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7568">CVE-2018-7568</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7569">CVE-2018-7569</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7570">CVE-2018-7570</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7642">CVE-2018-7642</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-7643">CVE-2018-7643</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2018-8945">CVE-2018-8945</uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-11-24T22:06:12Z">b-man</metadata>
+  <metadata tag="submitter" timestamp="2018-11-27T02:00:21Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201811-18.xml b/metadata/glsa/glsa-201811-18.xml
new file mode 100644
index 000000000000..b69d0f0ebc34
--- /dev/null
+++ b/metadata/glsa/glsa-201811-18.xml
@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201811-18">
+  <title>Tablib: Arbitrary command execution</title>
+  <synopsis>A vulnerability in Tablib might allow remote attackers to execute
+    arbitrary python commands.
+  </synopsis>
+  <product type="ebuild">tablib</product>
+  <announced>2018-11-27</announced>
+  <revised count="1">2018-11-27</revised>
+  <bug>621884</bug>
+  <access>remote</access>
+  <affected>
+    <package name="dev-python/tablib" auto="yes" arch="*">
+      <unaffected range="ge">0.12.1</unaffected>
+      <vulnerable range="lt">0.12.1</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Tablib is an MIT Licensed format-agnostic tabular dataset library,
+      written in Python. It allows you to import, export, and manipulate
+      tabular data sets.
+    </p>
+  </background>
+  <description>
+    <p>A vulnerability was discovered in Tablib’s Databook loading
+      functionality, due to improper input validation.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, by enticing the user to process a specially crafted
+      Databook via YAML, could possibly execute arbitrary python commands with
+      the privilege of the process.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Tablib users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=dev-python/tablib-0.12.1"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-2810">CVE-2017-2810</uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-11-24T22:46:04Z">b-man</metadata>
+  <metadata tag="submitter" timestamp="2018-11-27T02:02:33Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201811-19.xml b/metadata/glsa/glsa-201811-19.xml
new file mode 100644
index 000000000000..d4a6a1ca3efb
--- /dev/null
+++ b/metadata/glsa/glsa-201811-19.xml
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201811-19">
+  <title>Libav: Multiple vulnerabilities</title>
+  <synopsis>Multiple vulnerabilities have been found in Libav, the worst of
+    which may allow a Denial of Service condition.
+  </synopsis>
+  <product type="ebuild">libav</product>
+  <announced>2018-11-27</announced>
+  <revised count="1">2018-11-27</revised>
+  <bug>637458</bug>
+  <access>remote</access>
+  <affected>
+    <package name="media-video/libav" auto="yes" arch="*">
+      <unaffected range="ge">12.3</unaffected>
+      <vulnerable range="lt">12.3</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>Libav is a complete solution to record, convert and stream audio and
+      video.
+    </p>
+  </background>
+  <description>
+    <p>Multiple vulnerabilities have been discovered in Libav. Please review
+      the CVE identifiers referenced below for details.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>A remote attacker, via a crafted Smacker stream, could cause a Denial of
+      Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All Libav users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=media-video/libav-12.3"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-16803">CVE-2017-16803</uri>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-7862">CVE-2017-7862</uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-11-24T23:08:51Z">b-man</metadata>
+  <metadata tag="submitter" timestamp="2018-11-27T02:04:05Z">b-man</metadata>
+</glsa>
diff --git a/metadata/glsa/glsa-201811-20.xml b/metadata/glsa/glsa-201811-20.xml
new file mode 100644
index 000000000000..ac3e7b0d2894
--- /dev/null
+++ b/metadata/glsa/glsa-201811-20.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
+<glsa id="201811-20">
+  <title>spice-gtk: Remote code execution</title>
+  <synopsis>A vulnerability in spice-gtk could allow an attacker to remotely
+    execute arbitrary code.
+  </synopsis>
+  <product type="ebuild">spice-gtk</product>
+  <announced>2018-11-27</announced>
+  <revised count="1">2018-11-27</revised>
+  <bug>650878</bug>
+  <access>local, remote</access>
+  <affected>
+    <package name="net-misc/spice-gtk" auto="yes" arch="*">
+      <unaffected range="ge">0.34</unaffected>
+      <vulnerable range="lt">0.34</vulnerable>
+    </package>
+  </affected>
+  <background>
+    <p>spice-gtk is a set of GObject and Gtk objects for connecting to Spice
+      servers and a client GUI.
+    </p>
+  </background>
+  <description>
+    <p>A vulnerability was found in spice-gtk client due to the incorrect use
+      of integer types and missing overflow checks.
+    </p>
+  </description>
+  <impact type="normal">
+    <p>An attacker, by enticing the user to join a malicious server, could
+      remotely execute arbitrary code or cause a Denial of Service condition.
+    </p>
+  </impact>
+  <workaround>
+    <p>There is no known workaround at this time.</p>
+  </workaround>
+  <resolution>
+    <p>All spice-gtk users should upgrade to the latest version:</p>
+    
+    <code>
+      # emerge --sync
+      # emerge --ask --oneshot --verbose "&gt;=net-misc/spice-gtk-0.34"
+    </code>
+  </resolution>
+  <references>
+    <uri link="https://nvd.nist.gov/vuln/detail/CVE-2017-12194">CVE-2017-12194</uri>
+  </references>
+  <metadata tag="requester" timestamp="2018-11-24T22:29:36Z">b-man</metadata>
+  <metadata tag="submitter" timestamp="2018-11-27T02:05:55Z">b-man</metadata>
+</glsa>
author	Repository mirror & CI <repomirrorci@gentoo.org>	2018-11-27 02:24:23 +0000
committer	Repository mirror & CI <repomirrorci@gentoo.org>	2018-11-27 02:24:23 +0000
commit	177502ae4dcce017cbf17cdc572a0ad289cd4140 (patch)
tree	169d1fcb66aa436d698fde1a80b5268f14df9548 /metadata/glsa
parent	2018-11-26 22:44:55 UTC (diff)
parent	[ GLSA 201811-20 ] spice-gtk: Remote code execution (diff)
download	gentoo-177502ae4dcce017cbf17cdc572a0ad289cd4140.tar.gz gentoo-177502ae4dcce017cbf17cdc572a0ad289cd4140.tar.bz2 gentoo-177502ae4dcce017cbf17cdc572a0ad289cd4140.zip