* [SECURITY] libwmf @ 2015-06-05 8:17 Yaakov Selkowitz 2015-06-08 20:42 ` Yaakov Selkowitz 0 siblings, 1 reply; 6+ messages in thread From: Yaakov Selkowitz @ 2015-06-05 8:17 UTC (permalink / raw) To: cygwin-apps Dr. Volker, A security vulnerability has been made public for libwmf: https://bugzilla.redhat.com/show_bug.cgi?id=1227243 http://pkgs.fedoraproject.org/cgit/libwmf.git/plain/libwmf-0.2.8.4-CVE-2015-0848.patch -- Yaakov ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [SECURITY] libwmf 2015-06-05 8:17 [SECURITY] libwmf Yaakov Selkowitz @ 2015-06-08 20:42 ` Yaakov Selkowitz 2015-06-26 16:51 ` Yaakov Selkowitz 0 siblings, 1 reply; 6+ messages in thread From: Yaakov Selkowitz @ 2015-06-08 20:42 UTC (permalink / raw) To: cygwin-apps On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote: > Dr. Volker, > > A security vulnerability has been made public for libwmf: > > https://bugzilla.redhat.com/show_bug.cgi?id=1227243 > http://pkgs.fedoraproject.org/cgit/libwmf.git/plain/libwmf-0.2.8.4-CVE-2015-0848.patch Actually, it's worse than that. Despite configuring with --with-sys-gd, libwmf is still being built with the bundled libgd (which has either an older or custom API) instead of the system one. Therefore, practically the entire patchset is required to fix all known vulnerabilities: http://pkgs.fedoraproject.org/cgit/libwmf.git/ -- Yaakov ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [SECURITY] libwmf 2015-06-08 20:42 ` Yaakov Selkowitz @ 2015-06-26 16:51 ` Yaakov Selkowitz 2015-06-29 15:56 ` Dr. Volker Zell 0 siblings, 1 reply; 6+ messages in thread From: Yaakov Selkowitz @ 2015-06-26 16:51 UTC (permalink / raw) To: cygwin-apps; +Cc: dr.volker.zell On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote: > On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote: > > Dr. Volker, > > > > A security vulnerability has been made public for libwmf: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1227243 > > Actually, it's worse than that. Despite configuring with --with-sys-gd, > libwmf is still being built with the bundled libgd (which has either an > older or custom API) instead of the system one. Therefore, practically > the entire patchset is required to fix all known vulnerabilities: > > http://pkgs.fedoraproject.org/cgit/libwmf.git/ Are you still with us? There has been further additions to that patchset for two more CVEs. -- Yaakov ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [SECURITY] libwmf 2015-06-26 16:51 ` Yaakov Selkowitz @ 2015-06-29 15:56 ` Dr. Volker Zell 2015-07-09 20:09 ` Yaakov Selkowitz 0 siblings, 1 reply; 6+ messages in thread From: Dr. Volker Zell @ 2015-06-29 15:56 UTC (permalink / raw) To: Yaakov Selkowitz; +Cc: cygwin-apps, dr.volker.zell >>>>> Yaakov Selkowitz writes: > On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote: >> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote: >> > Dr. Volker, >> > >> > A security vulnerability has been made public for libwmf: >> > >> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243 >> >> Actually, it's worse than that. Despite configuring with --with-sys-gd, >> libwmf is still being built with the bundled libgd (which has either an >> older or custom API) instead of the system one. Therefore, practically >> the entire patchset is required to fix all known vulnerabilities: >> >> http://pkgs.fedoraproject.org/cgit/libwmf.git/ > Are you still with us? Yes, but NO time right now (plus upcoming vacation) Ciao Volker ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [SECURITY] libwmf 2015-06-29 15:56 ` Dr. Volker Zell @ 2015-07-09 20:09 ` Yaakov Selkowitz 2015-07-10 5:43 ` Dr. Volker Zell 0 siblings, 1 reply; 6+ messages in thread From: Yaakov Selkowitz @ 2015-07-09 20:09 UTC (permalink / raw) To: cygwin-apps; +Cc: Dr. Volker Zell On Mon, 2015-06-29 at 17:56 +0200, Dr. Volker Zell wrote: > >>>>> Yaakov Selkowitz writes: > > On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote: > >> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote: > >> > Dr. Volker, > >> > > >> > A security vulnerability has been made public for libwmf: > >> > > >> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243 > >> > >> Actually, it's worse than that. Despite configuring with --with-sys-gd, > >> libwmf is still being built with the bundled libgd (which has either an > >> older or custom API) instead of the system one. Therefore, practically > >> the entire patchset is required to fix all known vulnerabilities: > >> > >> http://pkgs.fedoraproject.org/cgit/libwmf.git/ > > > Are you still with us? > > Yes, but NO time right now (plus upcoming vacation) Understood, I've uploaded 0.2.8.4-15 with the complete patchset. BTW, tzcode has been a bit neglected as of late, and it's the sort of package that really needs to be kept timely (forgive the pun). Would you mind if we took over maintainership? -- Yaakov ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [SECURITY] libwmf 2015-07-09 20:09 ` Yaakov Selkowitz @ 2015-07-10 5:43 ` Dr. Volker Zell 0 siblings, 0 replies; 6+ messages in thread From: Dr. Volker Zell @ 2015-07-10 5:43 UTC (permalink / raw) To: Yaakov Selkowitz; +Cc: cygwin-apps, Dr. Volker Zell >>>>> Yaakov Selkowitz writes: > On Mon, 2015-06-29 at 17:56 +0200, Dr. Volker Zell wrote: >> >>>>> Yaakov Selkowitz writes: >> > On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote: >> >> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote: >> >> > Dr. Volker, >> >> > >> >> > A security vulnerability has been made public for libwmf: >> >> > >> >> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243 >> >> >> >> Actually, it's worse than that. Despite configuring with --with-sys-gd, >> >> libwmf is still being built with the bundled libgd (which has either an >> >> older or custom API) instead of the system one. Therefore, practically >> >> the entire patchset is required to fix all known vulnerabilities: >> >> >> >> http://pkgs.fedoraproject.org/cgit/libwmf.git/ >> >> > Are you still with us? >> >> Yes, but NO time right now (plus upcoming vacation) > Understood, I've uploaded 0.2.8.4-15 with the complete patchset. Thanks > BTW, tzcode has been a bit neglected as of late, and it's the sort of > package that really needs to be kept timely (forgive the pun). Would > you mind if we took over maintainership? Just go ahead... > -- > Yaakov Ciao Volker ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-07-10 5:43 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-06-05 8:17 [SECURITY] libwmf Yaakov Selkowitz 2015-06-08 20:42 ` Yaakov Selkowitz 2015-06-26 16:51 ` Yaakov Selkowitz 2015-06-29 15:56 ` Dr. Volker Zell 2015-07-09 20:09 ` Yaakov Selkowitz 2015-07-10 5:43 ` Dr. Volker Zell
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).