Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.

From:	Alex Vong
Subject:	Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
Date:	Sat, 15 Oct 2016 08:31:33 +0800
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Leo Famulari <address@hidden> writes:

> On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote:
>> Hi,
>> 
>> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366,
>> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to
>> 0.17.2.
>> 
>
>> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001
>> From: Alex Vong <address@hidden>
>> Date: Fri, 14 Oct 2016 21:45:47 +0800
>> Subject: [PATCH] gnu: libraw: Update to 0.17.2.
>> 
>> * gnu/packages/photo.scm (libraw): Update to 0.17.2.
>
> Thank you for catching this and sending a patch!
>
> I added the CVE IDs to the commit message and pushed as
> b280e67ca6f62c176c72439df4533a9737b9130a.
>
>> I think we really need a security tracker as suggested earlier (by Leo I
>> think), because the bug was disclosed in Dec 2015, so our libraw is
>> being vulnerable for 3/4 year, which is pretty scary!
>
> Did I suggest that? I don't usually suggest creating new infrastructure
> :)
>
Ok. It must be someone else suggesting creating a website... :)

> If we had a security tracker that is as good as Debian's, I would be
> thrilled. I look at their tracker almost daily. On the other hand, there
> are parts of Debian's web infrastructure that seem to be "crumbling" —
> dead links et cetera. I'm loathe to add non-automated infrastructure to
> Guix if we can't support it properly. I'd rather lack the infrastructure
> than have it half-baked.
>
> For now I use `guix lint -c cve` and my mailing list / bug tracker
> subscriptions.
>
> By the way, `guix lint -c cve` didn't report these two bugs because they
> are still not "disclosed" in the database from which we pull our CVE
> information [0]:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367
>
> That's why it's important for Guix developers / users to pay attention
> to the upstream development of packages they are interested in. Until
> upstream security fixes can be reliably detected by an automated system,
> there are no substitutes for human attention, only complements.
>
> [0]
> http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41

Thanks for explaining the current situation. I don't know about
`guix lint -c cve`. It reports many CVE vulnerabilities. How does it
knows if a particular vulnerability is fixed by a patch?

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY] [PATCH] gnu: libraw: Update to 0.17.2., Alex Vong, 2016/10/14
- Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2., Leo Famulari, 2016/10/14
  - Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2., Alex Vong <=
    - Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2., Leo Famulari, 2016/10/15

Prev by Date: Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
Next by Date: Re: [core-updates]: cycle detected in the references of ...gtk+-3.20.9-bin
Previous by thread: Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
Next by thread: Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
Index(es):
- Date
- Thread