Bug 212696 (CVE-2006-4513)

Summary: CVE-2006-4513: multiple integer overflows in wv < 1.2.3
Product: [Fedora] Fedora Reporter: Ville Skyttä <scop>
Component: wvAssignee: Aurelien Bompard <gauret>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: extras-qa, fedora-security-list
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4513
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-29 18:09:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Ville Skyttä 2006-10-28 06:16:08 UTC
Multiple integer overflows in wv < 1.2.3: 
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4513

All FE versions seem affected.

Comment 1 Aurelien Bompard 2006-10-28 16:57:01 UTC
Updated to 1.2.4 for FC-5, FC-6 and devel

Comment 2 Ville Skyttä 2006-10-28 20:15:44 UTC
FC-4 seems to have been updated too, but build failed, libgsf-devel >= 1.11.2 
not found: http://buildsys.fedoraproject.org/build-status/job.psp?uid=20439

I don't see a devel build either in the failed or succeeded build lists.

Comment 3 Aurelien Bompard 2006-10-29 07:04:48 UTC
Devel build re-requested.
wv really needs libgsf >= 1.13.0 (in version 1.2.3 too), and this does not exist
in FC-4. What should I do ?

Comment 4 Ville Skyttä 2006-10-29 09:26:10 UTC
Perhaps take a look if the fixes are easy to backport as a patch to an older 
wv version instead of upgrading it?

If not, or if you're not (that) interested in FC-4 any more, I'd suggest 
reverting the upgrade to 1.2.4 in the FC-4 branch in order to provide a clean 
table for someone else who might be interested in taking a look at fixing it 
for legacy distro version(s).

Comment 5 Aurelien Bompard 2006-10-29 18:09:23 UTC
OK, the patch applies fine on version 1.0.3 and it builds fine. However, I have
no FC-4 system to test it on. Since it seems to be a small patch, I've requested
the build nevertheless.