Source: gtkwave
Version: 3.3.116-1
Severity: grave
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
A very thorough security audit of gtkwave unveiled a total of 82 security issues in gtkwave, all fixed in 3.3.118:
CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004
CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703
CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957
CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961
CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969
CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994
CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746
CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915
CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417
CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442
CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446
CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575
CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921
CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618
CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622
CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650
CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657
CVE-2023-39234 CVE-2023-39235 CVE-2023-39270 CVE-2023-39271
CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275
CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414
CVE-2023-39443 CVE-2023-39444
Let's first fix unstable and then we can simple build 3.3.118
for stable-security and oldstable-security as well.
...
Cheers,
Moritz
tags 1060407 + patchBug #1060407 [src:gtkwave] Multiple security issues
tags 1060407 + pendingBug #1060407 [src:gtkwave] Multiple security issues
attached are proposed debdiffs for updating gtkwave to 3.3.118 in {bookworm,bullseye,buster}-security for review for a DSA
(and as preview for buster).
General notes:
I checked a handful CVEs, and they were also present in buster.
If anyone insists that I check for every single CVE whether it is also
in buster I can do that, but that would be a lot of work.
As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3. Looking closer I realized that this is actually one tarball that
supports GTK 1+2, and one tarball that supports GTK 2+3.
I did stay at the GTK 1+2 tarball that was already used before
for bullseye and buster since there was anyway a different upstream
tarball required for the +really version that is required to avoid
creating file conflicts with ghwdump when upgrading to bookworm.
What does the security team consider the best versioning for bullseye?
In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up preferring 3.3.104+really3.3.118-0+deb11u1
debdiffs contain only changes to debian/
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 297 |
Nodes: | 16 (2 / 14) |
Uptime: | 07:41:13 |
Calls: | 6,666 |
Files: | 12,213 |
Messages: | 5,336,185 |