| 1 |
On Thu, Jan 08, 2015 at 04:26:02AM +0300, Andrew Savchenko wrote: |
| 2 |
> On Tue, 6 Jan 2015 17:47:10 -0600 William Hubbs wrote: |
| 3 |
> > All, |
| 4 |
> > |
| 5 |
> > these packages have been masked in the tree for months - years with no |
| 6 |
> > signs of fixes. |
| 7 |
> |
| 8 |
> Some of them are binary packages or have no fixes upstream. If |
| 9 |
> there are no alternatives in tree for a package, and it works fine |
| 10 |
> (despite some bugs or issues), then let it be. If package is |
| 11 |
> broken, doesn't compile and upstream is dead, this is a possible |
| 12 |
> candidate for removal. |
| 13 |
> |
| 14 |
> > # Ulrich Müller <ulm@g.o> (15 Jul 2014) |
| 15 |
> > # Permanently mask sys-libs/lib-compat and its reverse dependencies, |
| 16 |
> > # pending multiple security vulnerabilities and QA issues. |
| 17 |
> > # See bugs #515926 |
| 18 |
> |
| 19 |
> This is just QA. |
| 20 |
> |
| 21 |
> > games-fps/rtcw |
| 22 |
> |
| 23 |
> Works fine here. While there are possible security issues due to |
| 24 |
> 510960, it is perfectly safe to be used in isolated environment |
| 25 |
> (e.g. a local game in a separate container). |
| 26 |
> |
| 27 |
> > # Chris Gianelloni <wolf31o2@g.o> (03 Mar 2008) |
| 28 |
> > # Masking due to security bug #194607 and security bug #204067 |
| 29 |
> > games-fps/doom3 |
| 30 |
> > games-fps/doom3-cdoom |
| 31 |
> > games-fps/doom3-chextrek |
| 32 |
> > games-fps/doom3-data |
| 33 |
> > games-fps/doom3-demo |
| 34 |
> > games-fps/doom3-ducttape |
| 35 |
> > games-fps/doom3-eventhorizon |
| 36 |
> > games-fps/doom3-hellcampaign |
| 37 |
> > games-fps/doom3-inhell |
| 38 |
> > games-fps/doom3-lms |
| 39 |
> > games-fps/doom3-mitm |
| 40 |
> > games-fps/doom3-phantasm |
| 41 |
> > games-fps/doom3-roe |
| 42 |
> |
| 43 |
> Only doom3 is vulnerable here, other pacakegs s are just deps. |
| 44 |
> Both vulnerabilities are remote, so local users (e.g. if someone |
| 45 |
> just wants to play original doom3 without multiplayer game) are |
| 46 |
> perfectly safe. |
| 47 |
> |
| 48 |
> Yet this issue may be fixed: doom3 released source code under GPL-3: |
| 49 |
> https://github.com/id-Software/DOOM-3 |
| 50 |
> Maybe doom3 should be renamed to doom3-bin (if someone needs it for |
| 51 |
> whatever reason), and doom3 should be readded as a GPL-3 version. |
| 52 |
> Doom3 build from source works great for me. |
| 53 |
|
| 54 |
This would be for the maintainers to decide, but if it is under gpl3 |
| 55 |
now, I would vote for adding the new version and getting rid of the old |
| 56 |
one. I don't see a need to keep a binary proprietary product if the new |
| 57 |
one is gpl'd. |
| 58 |
|
| 59 |
This is why I posted this last rites, to get people to look at the |
| 60 |
packages. :-) |
| 61 |
|
| 62 |
William |
| 63 |
|
| 64 |
> |
| 65 |
> Security issues are just format string handlings and should be easy |
| 66 |
> to fix with source code available, though considering how picky is |
| 67 |
> games team for changing network code outside of upstream, I really |
| 68 |
> doubt such patches have a chance to come to the tree. |
| 69 |
> |
| 70 |
> > # Tavis Ormandy <taviso@g.o> (21 Mar 2006) |
| 71 |
> > # masked pending unresolved security issues #127167 |
| 72 |
> > games-roguelike/slashem |
| 73 |
> > |
| 74 |
> > # Tavis Ormandy <taviso@g.o> (21 Mar 2006) |
| 75 |
> > # masked pending unresolved security issues #125902 |
| 76 |
> > games-roguelike/nethack |
| 77 |
> > games-util/hearse |
| 78 |
> |
| 79 |
> Upstream doesn't consider these issues as bugs at all. This is a |
| 80 |
> clash of incompatible permission policies by games team and |
| 81 |
> nethack. |
| 82 |
> |
| 83 |
> Best regards, |
| 84 |
> Andrew Savchenko |
Archives