[gentoo-dev] qa last rites -- long list

[William Hubbs]

All,

Many packages have been masked in the tree for months - years with no
signs of fixes.

I am particularly concerned about packages with known security
vulnerabilities staying in the main tree masked. If people want to keep
using those packages, I don't want to stop them, but packages like this
should be in an overlay, not the main tree.

On 28 Jan, I will go through this list again, from oldest to newest,
first focusing on packages with known security issues. Any of these that
I find still in p.mask or with no fixes  but still in the
main tree will be removed then.

# Patrick Lauer  (24 Nov 2014)
# Missing deps, uninstallable
app-misc/email2trac
www-apps/trac-downloads

# Jauhien Piatlicki  (5 Oct 2014)
# Masked because of bug 524390: privilege escalation
# until upstream fixes this security issue.
# Use at your own risk
 (04 Sep 2014)
# Security mask, wrt bugs #488212, #498164, #500260,
# #507802 and #518718
 (03 Sep 2014)
# Markos Chandras  (02 Sep 2014)
# MSN service terminated.
# You can still use your MSN account in net-im/skype
# or switch to an open protocol instead
# Masked for removal in 30 days
net-im/amsn
x11-themes/amsn-skins

# Christian Faulhammer  (02 Sep 2014)
# website not working anymore and will stay like this,
# tool is useless. See bug 504734
app-admin/hwreport

# Ulrich Müller  (15 Jul 2014)
# Permanently mask sys-libs/lib-compat and its reverse dependencies,
# pending multiple security vulnerabilities and QA issues.
# See bugs #515926 and #510960.
sys-libs/lib-compat
sys-libs/lib-compat-loki
games-action/mutantstorm-demo
games-action/phobiaii
games-emulation/handy
games-fps/rtcw
games-fps/unreal
games-strategy/heroes3
games-strategy/heroes3-demo
games-strategy/smac
sys-block/afacli

# Mike Gilbert  (13 Jun 2014)
# Masked due to security bug 499870.
# Please migrate to net-misc/libreswan.
# If you are a Gentoo developer, feel free to pick up maintenence of openswan
# and remove this mask after resolving the security issue.
net-misc/openswan

# Mike Gilbert  (10 Jun 2014)
# Tom Wijsman  (8 Jun 2014)
# Mask VLC ebuilds that are affected with security bug CVE-2013-6934:
#
# A vulnerability has been discovered in VLC Media Player, which can be
# exploited by malicious people to compromise a user's system.
#
# Some ebuilds also have other buffer and integer overflow security bugs like
# CVE-2013-1954, CVE-2013-3245, CVE-2013-4388 and CVE-2013-6283.
#
# Users should consider to upgrade VLC Media Player to at least version 2.1.2.
 (6 Jun 2014)
# Tom Wijsman  (6 Jun 2014)
# Mask gentoo-sources ebuilds that are affected with security bug CVE-2014-3153.
#
# Pinkie Pie discovered an issue in the futex subsystem that allows a
# local user to gain ring 0 control via the futex syscall. An
# unprivileged user could use this flaw to crash the kernel (resulting
# in denial of service) or for privilege escalation.
#
# https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
=sys-kernel/gentoo-sources-3.2.58-r2
~sys-kernel/gentoo-sources-3.4.90
=sys-kernel/gentoo-sources-3.4.91
~sys-kernel/gentoo-sources-3.10.40
=sys-kernel/gentoo-sources-3.10.41
~sys-kernel/gentoo-sources-3.12.20
=sys-kernel/gentoo-sources-3.12.21
~sys-kernel/gentoo-sources-3.14.4
=sys-kernel/gentoo-sources-3.14.5

# Tom Wijsman  (30 May 2014)
# CVE-2012-1721 - Remote Code Execution Vulnerability
#
# Vulnerable: IBM Java SE 5.0 SR12-FP5
# URL:http://www.securityfocus.com/bid/53959/
dev-java/ibm-jdk-bin:1.5

# Alexander Vershilov  (02 Apr 2014)
# Multiple vulnerabilities, see #504724, #505860
 (26 Mar 2014)
# Affected by multiple vulnerabilities, #445916, #471098 and #472280
 (20 Mar 2014)
# Security mask of vulnerable versions, wrt bug #424167
 (9 Jul 2013)
# Masked for security bug 450746, CVE-2012-6095
 (30 Oct 2011)
# Masked for security bug #294253, use only at your own risk!
=media-libs/fmod-3*
games-puzzle/candycrisis
games-simulation/stoned-bin
games-sports/racer-bin
games-strategy/dark-oberon
games-strategy/savage-bin

# Chris Gianelloni  (03 Mar 2008)
# Masking due to security bug #194607 and security bug #204067
games-fps/doom3
games-fps/doom3-cdoom
games-fps/doom3-chextrek
games-fps/doom3-data
games-fps/doom3-demo
games-fps/doom3-ducttape
games-fps/doom3-eventhorizon
games-fps/doom3-hellcampaign
games-fps/doom3-inhell
games-fps/doom3-lms
games-fps/doom3-mitm
games-fps/doom3-phantasm
games-fps/doom3-roe
games-fps/quake4-bin
games-fps/quake4-data
games-fps/quake4-demo

# Tavis Ormandy  (21 Mar 2006)
# masked pending unresolved security issues #127167
games-roguelike/slashem

# Tavis Ormandy  (21 Mar 2006)
# masked pending unresolved security issues #125902
games-roguelike/nethack
games-util/hearse

#  (01 Apr 2004)
# The following packages contain a remotely-exploitable
# security vulnerability and have been hard masked accordingly.
#
# Please see http://bugs.gentoo.org/show_bug.cgi?id=44351 for more info
#
games-fps/unreal-tournament-goty
games-fps/unreal-tournament-strikeforce
games-fps/unreal-tournament-bo

Re: [gentoo-dev] qa last rites -- long list

[Patrick Lauer]

On 01/07/15 06:24, William Hubbs wrote:
> All,
> 
> Many packages have been masked in the tree for months - years with no
> signs of fixes.
> 
> I am particularly concerned about packages with known security
> vulnerabilities staying in the main tree masked. If people want to keep
> using those packages, I don't want to stop them, but packages like this
> should be in an overlay, not the main tree.
> 

> # Sergey Popov  (20 Mar 2014)
> # Security mask of vulnerable versions, wrt bug #424167
> 

Re: [gentoo-dev] qa last rites -- long list

[Philip Webb]

150106 William Hubbs wrote:
> Many packages have been masked in the tree for months - years
> with no signs of fixes.  I am particularly concerned
> about packages with known security vulnerabilities
> staying in the main tree masked.  If people want to keep those packages,
> I don't want to stop them, but packages like this should be in an overlay,
> not the main tree.

-- snip --

> # Tavis Ormandy  (21 Mar 2006)
> # masked pending unresolved security issues #125902
> games-roguelike/nethack

-- snip --

This one is perfectly safe on a single-user system : please leave it there.

-- 
,,
SUPPORT ___//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT`-O--O---'   purslowatchassdotutorontodotca

Re: [gentoo-dev] qa last rites -- long list

[William Hubbs]

On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
> 150106 William Hubbs wrote:
> > Many packages have been masked in the tree for months - years
> > with no signs of fixes.  I am particularly concerned
> > about packages with known security vulnerabilities
> > staying in the main tree masked.  If people want to keep those packages,
> > I don't want to stop them, but packages like this should be in an overlay,
> > not the main tree.
> 
> -- snip --
> 
> > # Tavis Ormandy  (21 Mar 2006)
> > # masked pending unresolved security issues #125902
> > games-roguelike/nethack
> 
> -- snip --
> 
> This one is perfectly safe on a single-user system : please leave it there.

I'm not opposed to it staying in the tree under one of these conditions:

1) fix it and remove the mask

or

2) remove the mask and add ewarns to the ebuild

William



signature.asc
Description: Digital signature

Re: [gentoo-dev] qa last rites -- long list

[Philip Webb]

150107 William Hubbs wrote:
> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
>> 150106 William Hubbs wrote:
>>> Many packages have been masked in the tree for months - years
>>> with no signs of fixes.  I am particularly concerned
>>> about packages with known security vulnerabilities
>>> staying in the main tree masked.  If people want to keep those packages,
>>> I don't want to stop them, but packages like this should be in an overlay,
>>> not the main tree.
>> -- snip --
>> > # Tavis Ormandy  (21 Mar 2006)
>> > # masked pending unresolved security issues #125902
>> > games-roguelike/nethack
>> -- snip --
>> This one is perfectly safe on a single-user system : please leave it there.
> I'm not opposed to it staying in the tree under one of these conditions:
> 1) fix it and remove the mask or

I'm a user, not a dev or a programmer.

> 2) remove the mask and add ewarns to the ebuild

That looks more reasonable & something a dev could easily do.

-- 
,,
SUPPORT ___//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT`-O--O---'   purslowatchassdotutorontodotca

Re: [gentoo-dev] qa last rites -- long list

[Matt Turner]

On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs  wrote:
> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
>> 150106 William Hubbs wrote:
>> This one is perfectly safe on a single-user system : please leave it there.
>
> I'm not opposed to it staying in the tree under one of these conditions:
>
> 1) fix it and remove the mask
>
> or
>
> 2) remove the mask and add ewarns to the ebuild

Remove the mask that people have to see and actively disable in order
to install the software and replace it with ewarn messages that they
likely won't read?

I don't see the problem with versions with security vulnerabilities
masked in the tree. nethack in particular has been masked in the tree
since 2006, so we have some precedence.