From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-apps-return-36218-listarch-cygwin-apps=sources.redhat.com@cygwin.com>
Received: (qmail 50677 invoked by alias); 8 Jun 2015 20:42:59 -0000
Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm
Precedence: bulk
Sender: cygwin-apps-owner@cygwin.com
List-Id: <cygwin-apps.cygwin.com>
List-Subscribe: <mailto:cygwin-apps-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin-apps/>
List-Post: <mailto:cygwin-apps@cygwin.com>
List-Help: <mailto:cygwin-apps-help@cygwin.com>, <http://sourceware.org/lists.html#faqs>
Mail-Followup-To: cygwin-apps@cygwin.com
Received: (qmail 50408 invoked by uid 89); 8 Jun 2015 20:42:58 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.3 required=5.0 tests=AWL,BAYES_50,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS autolearn=no version=3.3.2
X-HELO: mx1.redhat.com
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Mon, 08 Jun 2015 20:42:55 +0000
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])	by mx1.redhat.com (Postfix) with ESMTPS id 8D167C0144	for <cygwin-apps@cygwin.com>; Mon,  8 Jun 2015 20:42:53 +0000 (UTC)
Received: from YAAKOV04.redhat.com ([10.10.116.26])	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t58Kgp1v028777	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)	for <cygwin-apps@cygwin.com>; Mon, 8 Jun 2015 16:42:53 -0400
Message-ID: <1433796174.10576.9.camel@cygwin.com>
Subject: Re: [SECURITY] libwmf
From: Yaakov Selkowitz <yselkowitz@cygwin.com>
To: cygwin-apps@cygwin.com
Date: Mon, 08 Jun 2015 20:42:00 -0000
In-Reply-To: <1433492253.14544.12.camel@cygwin.com>
References: <1433492253.14544.12.camel@cygwin.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
X-SW-Source: 2015-06/txt/msg00073.txt.bz2

On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
> Dr. Volker,
> 
> A security vulnerability has been made public for libwmf:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1227243
> http://pkgs.fedoraproject.org/cgit/libwmf.git/plain/libwmf-0.2.8.4-CVE-2015-0848.patch

Actually, it's worse than that.  Despite configuring with --with-sys-gd,
libwmf is still being built with the bundled libgd (which has either an
older or custom API) instead of the system one.  Therefore, practically
the entire patchset is required to fix all known vulnerabilities:

http://pkgs.fedoraproject.org/cgit/libwmf.git/

--
Yaakov