From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-apps-return-36338-listarch-cygwin-apps=sources.redhat.com@cygwin.com>
Received: (qmail 31406 invoked by alias); 9 Jul 2015 20:09:03 -0000
Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm
Precedence: bulk
Sender: cygwin-apps-owner@cygwin.com
List-Id: <cygwin-apps.cygwin.com>
List-Subscribe: <mailto:cygwin-apps-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin-apps/>
List-Post: <mailto:cygwin-apps@cygwin.com>
List-Help: <mailto:cygwin-apps-help@cygwin.com>, <http://sourceware.org/lists.html#faqs>
Mail-Followup-To: cygwin-apps@cygwin.com
Received: (qmail 31391 invoked by uid 89); 9 Jul 2015 20:09:02 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-1.0 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS autolearn=no version=3.3.2
X-HELO: mx1.redhat.com
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Thu, 09 Jul 2015 20:09:01 +0000
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27])	by mx1.redhat.com (Postfix) with ESMTPS id 04D3E475083;	Thu,  9 Jul 2015 20:09:00 +0000 (UTC)
Received: from YAAKOV04.redhat.com ([10.10.116.32])	by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t69K8woo002552	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);	Thu, 9 Jul 2015 16:08:59 -0400
Message-ID: <1436472549.7208.46.camel@cygwin.com>
Subject: Re: [SECURITY] libwmf
From: Yaakov Selkowitz <yselkowitz@cygwin.com>
To: cygwin-apps@cygwin.com
Cc: "Dr. Volker Zell" <dr.volker.zell@oracle.com>
Date: Thu, 09 Jul 2015 20:09:00 -0000
In-Reply-To: <vriv381a33vq.fsf@VZELL-LAP.de.oracle.com>
References: <1433492253.14544.12.camel@cygwin.com>		<1433796174.10576.9.camel@cygwin.com>		<1435337470.11720.23.camel@cygwin.com>	 <vriv381a33vq.fsf@VZELL-LAP.de.oracle.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
X-SW-Source: 2015-07/txt/msg00031.txt.bz2

On Mon, 2015-06-29 at 17:56 +0200, Dr. Volker Zell wrote:
> >>>>> Yaakov Selkowitz writes:
>     > On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote:
>     >> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
>     >> > Dr. Volker,
>     >> > 
>     >> > A security vulnerability has been made public for libwmf:
>     >> > 
>     >> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243
>     >> 
>     >> Actually, it's worse than that.  Despite configuring with --with-sys-gd,
>     >> libwmf is still being built with the bundled libgd (which has either an
>     >> older or custom API) instead of the system one.  Therefore, practically
>     >> the entire patchset is required to fix all known vulnerabilities:
>     >> 
>     >> http://pkgs.fedoraproject.org/cgit/libwmf.git/
> 
>     > Are you still with us?  
> 
> Yes, but NO time right now (plus upcoming vacation)

Understood, I've uploaded 0.2.8.4-15 with the complete patchset.

BTW, tzcode has been a bit neglected as of late, and it's the sort of
package that really needs to be kept timely (forgive the pun).  Would
you mind if we took over maintainership?

--
Yaakov