Mailing List Archive

Gentoo Weekly Newsletter 25 April 2005
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 25 April 2005.

1. Gentoo News

Project Dolphin: Experimental rescue CD

Benjamin Judas[1] announced last Friday that the release-engineering team
has created a new experimental subproject called "Project Dolphin" in
order to provide a feature-enhanced LiveCD version targeted at system
rescue. Much like the unofficial French SysRescueCD[2] that is also based
on the Gentoo LiveCD, Project Dolphin aims at offering all the tools
needed for the recovery of broken installations, failing harddisks or
other systems in need of rescue.


Figure 1.1: Project Dolphin - LiveCD for rescue missions

Highlights of the CD include zsh, samba, bacula, mc, dar, mutt, xfsdump,
ide-smart, netcat, nmap, chrootkit, partimage, ncftp, centericq,
bind-tools, alsa-utils, mpg321. A very early test ISO image, actively
soliciting testers, has been made available in the experimental section of
the Gentoo mirrors[3] for download, in the /experimental/x86/livecd/x86
path. Users are strongly encouraged to submit comments to a freshly
introduced meta-bug[4], either to report problems or to request feature
additions. Thanks a lot for your support!


International Gentoo mailing list additions

Two new mailing lists have been made available last week: The Dutch
version of the Gentoo Weekly Newsletter is now distributed in plain text
version via e-mail, at, shortly after being
translated from the English original. As all other newsletter lists, it is
for distribution only. Dutch and Flemish speaking readers of the GWN can
subscribe to the new list by sending an e-mail to and following the instructions in the
confirmation message they'll receive.

A regular support and discussion list has been set up for all Russian
Gentoo users, as Konstantin V. Arkhipov[5] announced last week. can be subscribed by sending a blank message to A full list of official Gentoo
mailing lists, both English and non-English ones, is available along with
usage instructions at the mailing list page[6].


2. Developer of the week

"Gentoo is Zen applied to software" -- Patrick Lauer (bonsaikitten)

Figure 2.1: Patrick Lauer aka Bonsaikitten

This week's featured developer is bonsaikitten[7], who goes by the name
Patrick Lauer in real life. He has no allegiance pledged to any particular
faction of Gentoo devhood, but likes to work on a bit of everything. Since
late 2004 he is also a regular contributor to the GWN, in particular the
gentoo-dev mailing list summaries and this column, the dev-of-the-week,
are usually authored by him.


Patrick operates the[8] server, offering ressources
for weird and unfinished ideas, including (but not limited to) tinderbox,
the script repository[9] and future (web-)rsync replacement candidates.
Planet Gentoo was first hosted on Patrick's server before being moved onto
official hardware managed by the Gentoo infrastructure team.


During the day he's a student of Computer Science at the RWTH Aachen,
Germany, where he has started writing his thesis on "anonymous networks",
leaving precious little time for everything else, but after four and a
half years at the university he feels ready to move on. His computing
environment is a room full of crummy old hardware, a Quad Xeon, two
Athlons, and (courtesy of the CS faculty of his university) a 16-CPU

He is a user of blackbox, firefox, licq, sometimes konqueror, and -- due
to vendor lock-in -- evolution, which seems to get less useful with every
revision, "as do all gnomes and trolls," says Patrick. He likes to work in
Python, but other languages are no problem, either - "unless they are
called Java and need longish incantations for every single statement."
When the weather permits he can be found mountainbiking in the woods and
fields around Aachen. He also enjoys good food, good (Belgian) beer, and
the presence of preferably highly intelligent and sexy women (although the
latter does not happen as often as desired). His motto is borrowed from
Alfred Lord Tennyson: "It is better to have loved and lost than never to
have loved at all."

3. Heard in the community


Some new xorg ebuilds

For all those that desparately need the newest and most bleeding edge
stuff, Donnie Berkholz[10] has put some new xorg ebuilds in portage. Bug
reports are appreciated. Especially the 6.8.99.* snapshots might be
interesting to try out - but be warned, it might break ...


* new xorg ebuilds [11]

Category rename

Since there are many proxies (but not all of them www only), the www-proxy
category might be renamed to net-proxy. All the SOCKS, www, ftp etc.
proxies will then be easy to find in their new category.

* Category rename [12]

Gentoo as a development platform

Daniel Drake[13] starts a discussion on how to use Gentoo as a development
platform where you usually have to pull in various fixes from CVS. How do
you keep everything under portage's control while still being able to fix
things? Does portage support live CVS ebuilds in a sane fashion? Read on
to find out more.


* Gentoo as development platform [14]

Apache problems

As some of you might have noticed, the Gentoo Apache team has done some
quite extensive changes to the newest versions of Apache. This was done
for various reasons, including (but not limited to) easier maintenance.
This has caused various problems since there is no easy migration path,
and most users don't want to throw away their apache config and start from
scratch. Because of this the newest versions are package.mask'ed until
this situation is resolved.

* package.mask'ing the new apache ebuilds [15]
* new apache stuff in testing[16]

4. Gentoo International

Switzerland: Pentoo - Gentoo-based intrusion detection LiveCD

"Pentoo"[17] is an acronym for "PENetration on genTOO". It is based on
kernel version 2.6.10, uses the Gnome desktop environment, and aims to
provide a complete platform for intrusion detection, penetration-testing
and security assessment. The content of the LiveCD can be updated,
allowing for up-to-date fingerprint and vulnerability databases, for tools
that require regular updates like the Nessus plugins, or scanner
fingerprint files, metasploit etc. Users can optionaly store data on USB
sticks for non-volatile storage support. Pentoo's author, Michael
Zanetta[18], emphasizes that "it has to be considered beta as I have not
much time to test it carefully," so feedback and comments are very
welcome, at A roadmap for the project[19] is available,


Figure 4.1: Penetration testing based on Gentoo: Swiss 'Pentoo'

5. Gentoo in the press

Somos libres (25 April 2005, in Spanish)

Today's edition of the Peruvian "Free and Open Software User Group"
website at Somos Libres has an interview with Daniel Oliveira,[20] one of
the heads of the Gentoo spin-off project Ututo[21] developed at and around
the university of Buenos Aires in neighboring Argentina. Oliveira, who
represents a core team of 37 developers busy pushing Ututo to individual
users, but also into municipal services and small and medium enterprises
in Argentina, explains the history and the current status of the project.


6. Moves, adds, and changes


The following developers recently left the Gentoo team:

* None this week


The following developers recently joined the Gentoo Linux team:

* Herbie Hopkins (Herbs) - AMD64


The following developers recently changed roles within the Gentoo Linux

* None this week

7. Gentoo security

phpMyAdmin: Cross-site scripting vulnerability

phpMyAdmin is vulnerable to a cross-site scripting attack.

For more information, please see the GLSA Announcement[22]


Axel: Vulnerability in HTTP redirection handling

A buffer overflow vulnerability has been found in Axel which could lead to
the execution of arbitrary code.

For more information, please see the GLSA Announcement[23]


Gld: Remote execution of arbitrary code

Gld contains several serious vulnerabilities, potentially resulting in the
execution of arbitrary code as the root user.

For more information, please see the GLSA Announcement[24]


JunkBuster: Multiple vulnerabilities

JunkBuster is vulnerable to a heap corruption vulnerability, and under
certain configurations may allow an attacker to modify settings.

For more information, please see the GLSA Announcement[25]


rsnapshot: Local privilege escalation

rsnapshot allows a local user to take ownership of local files, resulting
in privilege escalation.

For more information, please see the GLSA Announcement[26]


OpenOffice.Org: DOC document Heap Overflow

OpenOffice.Org is vulnerable to a heap overflow when processing DOC
documents, which could lead to arbitrary code execution.

For more information, please see the GLSA Announcement[27]


monkeyd: Multiple vulnerabilities

Format string and Denial of Service vulnerabilities have been discovered
in the monkeyd HTTP server, potentially resulting in the execution of
arbitrary code.

For more information, please see the GLSA Announcement[28]


PHP: Multiple vulnerabilities

Several vulnerabilities were found and fixed in PHP image handling
functions, potentially resulting in Denial of Service conditions or the
remote execution of arbitrary code.

For more information, please see the GLSA Announcement[29]


CVS: Multiple vulnerabilities

Several serious vulnerabilities have been found in CVS, which may allow an
attacker to remotely compromise a CVS server or cause a DoS.

For more information, please see the GLSA Announcement[30]


XV: Multiple vulnerabilities

Multiple vulnerabilities have been discovered in XV, potentially resulting
in the execution of arbitrary code.

For more information, please see the GLSA Announcement[31]


Mozilla Firefox, Mozilla Suite: Multiple vulnerabilities

New Mozilla Firefox and Mozilla Suite releases fix new security
vulnerabilities, including memory disclosure and various ways of executing
JavaScript code with elevated privileges.

For more information, please see the GLSA Announcement[32]


MPlayer: Two heap overflow vulnerabilities

Two vulnerabilities have been found in MPlayer which could lead to the
remote execution of arbitrary code.

For more information, please see the GLSA Announcement[33]


openMosixview: Insecure temporary file creation

openMosixview and the openMosixcollector daemon are vulnerable to symlink
attacks, potentially allowing a local user to overwrite arbitrary files.

For more information, please see the GLSA Announcement[34]


RealPlayer, Helix Player: Buffer overflow vulnerability

RealPlayer and Helix Player are vulnerable to a buffer overflow that could
lead to remote execution of arbitrary code.

For more information, please see the GLSA Announcement[35]


KDE kimgio: PCX handling buffer overflow

KDE fails to properly validate input when handling PCX images, potentially
resulting in the execution of arbitrary code.

For more information, please see the GLSA Announcement[36]


Kommander: Insecure remote script execution

Kommander executes remote scripts without confirmation, potentially
resulting in the execution of arbitrary code.

For more information, please see the GLSA Announcement[37]


8. Bugzilla


* Statistics
* Closed bug ranking
* New bug rankings


The Gentoo community uses Bugzilla ([38]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 17 April 2005 and 24 April 2005, activity on the
site has resulted in:


* 817 new bugs during this period
* 493 bugs closed or resolved during this period
* 14 previously closed bugs were reopened this period

Of the 8497 currently open bugs: 89 are labeled 'blocker', 231 are labeled
'critical', and 628 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period

* media-video herd[39], with 44 closed bugs[40]
* AMD64 Porting Team[41], with 43 closed bugs[42]
* Gentoo Sound Team[43], with 19 closed bugs[44]
* Gentoo Security[45], with 18 closed bugs[46]
* Jeremy Huddleston[47], with 16 closed bugs[48]
* Java team[49], with 13 closed bugs[50]
* Gentoo Science Related Packages[51], with 12 closed bugs[52]
* Daniel Black[53], with 12 closed bugs[54]

New bug rankings

The developers and teams who have been assigned the most new bugs during
this period are:

* Gentoo Linux bug wranglers[55], with 19 new bugs[56]
* Mozilla Gentoo Team[57], with 13 new bugs[58]
* media-video herd[59], with 13 new bugs[60]
* Gentoo Sound Team[61], with 11 new bugs[62]
* Jeremy Huddleston[63], with 11 new bugs[64]
* Television related Applications in Gentoo's Portage[65], with 10 new
* Gentoo KDE team[67], with 9 new bugs[68]
* Gentoo Linux Gnome Desktop Team[69], with 9 new bugs[70]

9. GWN feedback

Please send us your feedback[71] and help make the GWN better.


10. GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to from the email address you are
subscribed under.

11. Other languages

The Gentoo Weekly Newsletter is also available in the following languages:

* Danish[72]
* Dutch[73]
* English[74]
* German[75]
* French[76]
* Japanese[77]
* Italian[78]
* Polish[79]
* Portuguese (Brazil)[80]
* Portuguese (Portugal)[81]
* Russian[82]
* Spanish[83]
* Turkish[84]

Ulrich Plate <> - Editor
Patrick Lauer <> - Author

-- mailing list