Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.

From:	Leo Famulari
Subject:	Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
Date:	Fri, 14 Oct 2016 13:36:25 -0400
User-agent:	Mutt/1.7.0 (2016-08-17)

On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote:
> Hi,
> 
> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366,
> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to
> 0.17.2.
> 

> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001
> From: Alex Vong <address@hidden>
> Date: Fri, 14 Oct 2016 21:45:47 +0800
> Subject: [PATCH] gnu: libraw: Update to 0.17.2.
> 
> * gnu/packages/photo.scm (libraw): Update to 0.17.2.

Thank you for catching this and sending a patch!

I added the CVE IDs to the commit message and pushed as
b280e67ca6f62c176c72439df4533a9737b9130a.

> I think we really need a security tracker as suggested earlier (by Leo I
> think), because the bug was disclosed in Dec 2015, so our libraw is
> being vulnerable for 3/4 year, which is pretty scary!

Did I suggest that? I don't usually suggest creating new infrastructure
:)

If we had a security tracker that is as good as Debian's, I would be
thrilled. I look at their tracker almost daily. On the other hand, there
are parts of Debian's web infrastructure that seem to be "crumbling" —
dead links et cetera. I'm loathe to add non-automated infrastructure to
Guix if we can't support it properly. I'd rather lack the infrastructure
than have it half-baked.

For now I use `guix lint -c cve` and my mailing list / bug tracker
subscriptions.

By the way, `guix lint -c cve` didn't report these two bugs because they
are still not "disclosed" in the database from which we pull our CVE
information [0]:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367

That's why it's important for Guix developers / users to pay attention
to the upstream development of packages they are interested in. Until
upstream security fixes can be reliably detected by an automated system,
there are no substitutes for human attention, only complements.

[0]
http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY] [PATCH] gnu: libraw: Update to 0.17.2., Alex Vong, 2016/10/14
- Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2., Leo Famulari <=
  - Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2., Alex Vong, 2016/10/14
    - Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2., Leo Famulari, 2016/10/15

Prev by Date: Re: [PATCH] Update networkmanager+nm-applet
Next by Date: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
Previous by thread: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
Next by thread: Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
Index(es):
- Date
- Thread