[SECURITY] libwmf

public inbox for cygwin-apps@cygwin.com
 help / color / mirror / Atom feed

* [SECURITY] libwmf
@ 2015-06-05  8:17 Yaakov Selkowitz
  2015-06-08 20:42 ` Yaakov Selkowitz
  0 siblings, 1 reply; 6+ messages in thread
From: Yaakov Selkowitz @ 2015-06-05  8:17 UTC (permalink / raw)
  To: cygwin-apps

Dr. Volker,

A security vulnerability has been made public for libwmf:

https://bugzilla.redhat.com/show_bug.cgi?id=1227243
http://pkgs.fedoraproject.org/cgit/libwmf.git/plain/libwmf-0.2.8.4-CVE-2015-0848.patch

--
Yaakov


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [SECURITY] libwmf
  2015-06-05  8:17 [SECURITY] libwmf Yaakov Selkowitz
@ 2015-06-08 20:42 ` Yaakov Selkowitz
  2015-06-26 16:51   ` Yaakov Selkowitz
  0 siblings, 1 reply; 6+ messages in thread
From: Yaakov Selkowitz @ 2015-06-08 20:42 UTC (permalink / raw)
  To: cygwin-apps

On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
> Dr. Volker,
> 
> A security vulnerability has been made public for libwmf:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1227243
> http://pkgs.fedoraproject.org/cgit/libwmf.git/plain/libwmf-0.2.8.4-CVE-2015-0848.patch

Actually, it's worse than that.  Despite configuring with --with-sys-gd,
libwmf is still being built with the bundled libgd (which has either an
older or custom API) instead of the system one.  Therefore, practically
the entire patchset is required to fix all known vulnerabilities:

http://pkgs.fedoraproject.org/cgit/libwmf.git/

--
Yaakov


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [SECURITY] libwmf
  2015-06-08 20:42 ` Yaakov Selkowitz
@ 2015-06-26 16:51   ` Yaakov Selkowitz
  2015-06-29 15:56     ` Dr. Volker Zell
  0 siblings, 1 reply; 6+ messages in thread
From: Yaakov Selkowitz @ 2015-06-26 16:51 UTC (permalink / raw)
  To: cygwin-apps; +Cc: dr.volker.zell

On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote:
> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
> > Dr. Volker,
> > 
> > A security vulnerability has been made public for libwmf:
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243
> 
> Actually, it's worse than that.  Despite configuring with --with-sys-gd,
> libwmf is still being built with the bundled libgd (which has either an
> older or custom API) instead of the system one.  Therefore, practically
> the entire patchset is required to fix all known vulnerabilities:
> 
> http://pkgs.fedoraproject.org/cgit/libwmf.git/

Are you still with us?  

There has been further additions to that patchset for two more CVEs.

--
Yaakov


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [SECURITY] libwmf
  2015-06-26 16:51   ` Yaakov Selkowitz
@ 2015-06-29 15:56     ` Dr. Volker Zell
  2015-07-09 20:09       ` Yaakov Selkowitz
  0 siblings, 1 reply; 6+ messages in thread
From: Dr. Volker Zell @ 2015-06-29 15:56 UTC (permalink / raw)
  To: Yaakov Selkowitz; +Cc: cygwin-apps, dr.volker.zell

>>>>> Yaakov Selkowitz writes:

    > On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote:
    >> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
    >> > Dr. Volker,
    >> > 
    >> > A security vulnerability has been made public for libwmf:
    >> > 
    >> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243
    >> 
    >> Actually, it's worse than that.  Despite configuring with --with-sys-gd,
    >> libwmf is still being built with the bundled libgd (which has either an
    >> older or custom API) instead of the system one.  Therefore, practically
    >> the entire patchset is required to fix all known vulnerabilities:
    >> 
    >> http://pkgs.fedoraproject.org/cgit/libwmf.git/

    > Are you still with us?  

Yes, but NO time right now (plus upcoming vacation)

Ciao
  Volker
  

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [SECURITY] libwmf
  2015-06-29 15:56     ` Dr. Volker Zell
@ 2015-07-09 20:09       ` Yaakov Selkowitz
  2015-07-10  5:43         ` Dr. Volker Zell
  0 siblings, 1 reply; 6+ messages in thread
From: Yaakov Selkowitz @ 2015-07-09 20:09 UTC (permalink / raw)
  To: cygwin-apps; +Cc: Dr. Volker Zell

On Mon, 2015-06-29 at 17:56 +0200, Dr. Volker Zell wrote:
> >>>>> Yaakov Selkowitz writes:
>     > On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote:
>     >> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
>     >> > Dr. Volker,
>     >> > 
>     >> > A security vulnerability has been made public for libwmf:
>     >> > 
>     >> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243
>     >> 
>     >> Actually, it's worse than that.  Despite configuring with --with-sys-gd,
>     >> libwmf is still being built with the bundled libgd (which has either an
>     >> older or custom API) instead of the system one.  Therefore, practically
>     >> the entire patchset is required to fix all known vulnerabilities:
>     >> 
>     >> http://pkgs.fedoraproject.org/cgit/libwmf.git/
> 
>     > Are you still with us?  
> 
> Yes, but NO time right now (plus upcoming vacation)

Understood, I've uploaded 0.2.8.4-15 with the complete patchset.

BTW, tzcode has been a bit neglected as of late, and it's the sort of
package that really needs to be kept timely (forgive the pun).  Would
you mind if we took over maintainership?

--
Yaakov


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [SECURITY] libwmf
  2015-07-09 20:09       ` Yaakov Selkowitz
@ 2015-07-10  5:43         ` Dr. Volker Zell
  0 siblings, 0 replies; 6+ messages in thread
From: Dr. Volker Zell @ 2015-07-10  5:43 UTC (permalink / raw)
  To: Yaakov Selkowitz; +Cc: cygwin-apps, Dr. Volker Zell

>>>>> Yaakov Selkowitz writes:

    > On Mon, 2015-06-29 at 17:56 +0200, Dr. Volker Zell wrote:
    >> >>>>> Yaakov Selkowitz writes:
    >> > On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote:
    >> >> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
    >> >> > Dr. Volker,
    >> >> > 
    >> >> > A security vulnerability has been made public for libwmf:
    >> >> > 
    >> >> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243
    >> >> 
    >> >> Actually, it's worse than that.  Despite configuring with --with-sys-gd,
    >> >> libwmf is still being built with the bundled libgd (which has either an
    >> >> older or custom API) instead of the system one.  Therefore, practically
    >> >> the entire patchset is required to fix all known vulnerabilities:
    >> >> 
    >> >> http://pkgs.fedoraproject.org/cgit/libwmf.git/
    >> 
    >> > Are you still with us?  
    >> 
    >> Yes, but NO time right now (plus upcoming vacation)

    > Understood, I've uploaded 0.2.8.4-15 with the complete patchset.

Thanks
    
    > BTW, tzcode has been a bit neglected as of late, and it's the sort of
    > package that really needs to be kept timely (forgive the pun).  Would
    > you mind if we took over maintainership?

Just go ahead...
    
    > --
    > Yaakov

Ciao
  Volker
  

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2015-07-10  5:43 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-06-05  8:17 [SECURITY] libwmf Yaakov Selkowitz
2015-06-08 20:42 ` Yaakov Selkowitz
2015-06-26 16:51   ` Yaakov Selkowitz
2015-06-29 15:56     ` Dr. Volker Zell
2015-07-09 20:09       ` Yaakov Selkowitz
2015-07-10  5:43         ` Dr. Volker Zell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).