From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2. Date: Fri, 14 Oct 2016 13:36:25 -0400 Message-ID: <20161014173625.GB23963@jasmine> References: <87mvi7f2p9.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ADZbWkCsHQ7r3kzd" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54931) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bv6PX-0004Ez-J7 for guix-devel@gnu.org; Fri, 14 Oct 2016 13:36:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bv6PR-0000JL-B8 for guix-devel@gnu.org; Fri, 14 Oct 2016 13:36:47 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:56356) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1bv6PP-0000HE-VY for guix-devel@gnu.org; Fri, 14 Oct 2016 13:36:41 -0400 Content-Disposition: inline In-Reply-To: <87mvi7f2p9.fsf@gmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Alex Vong Cc: guix-devel@gnu.org --ADZbWkCsHQ7r3kzd Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote: > Hi, >=20 > I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366, > 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to > 0.17.2. >=20 > From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001 > From: Alex Vong > Date: Fri, 14 Oct 2016 21:45:47 +0800 > Subject: [PATCH] gnu: libraw: Update to 0.17.2. >=20 > * gnu/packages/photo.scm (libraw): Update to 0.17.2. Thank you for catching this and sending a patch! I added the CVE IDs to the commit message and pushed as b280e67ca6f62c176c72439df4533a9737b9130a. > I think we really need a security tracker as suggested earlier (by Leo I > think), because the bug was disclosed in Dec 2015, so our libraw is > being vulnerable for 3/4 year, which is pretty scary! Did I suggest that? I don't usually suggest creating new infrastructure :) If we had a security tracker that is as good as Debian's, I would be thrilled. I look at their tracker almost daily. On the other hand, there are parts of Debian's web infrastructure that seem to be "crumbling" =E2=80= =94 dead links et cetera. I'm loathe to add non-automated infrastructure to Guix if we can't support it properly. I'd rather lack the infrastructure than have it half-baked. For now I use `guix lint -c cve` and my mailing list / bug tracker subscriptions. By the way, `guix lint -c cve` didn't report these two bugs because they are still not "disclosed" in the database from which we pull our CVE information [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8366 https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8367 That's why it's important for Guix developers / users to pay attention to the upstream development of packages they are interested in. Until upstream security fixes can be reliably detected by an automated system, there are no substitutes for human attention, only complements. [0] http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41 --ADZbWkCsHQ7r3kzd Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYAReWAAoJECZG+jC6yn8ILzoQAN0zxAjnIG4pDdzRAaM9xasC m5FjmVezY+dhji9lCoizQZiazwYr9L1UkQc27CeFSqZcUioZ3h7m9dhX66R2rr7k 5Lnklq3p2b8A0qVo6i+3Jiphlz+ZcGKLGNV2DPoTaqmAgqNO7JORmrFVGnNQde7F fpZeBtXWFelwlwhGuiiXGJxxf9lLK4xZQFee5g8lAKqRTG6H2zwidjraP2bBdOAA k8Slow+Cj5VnXQ2pAYSOJYuRR4Y6imtAdBNSN8awibiTVUojvQmvsgiv1YVZJuUv LbB7HwlFezpmN1cDqYfYhgDsV4le9inciVJEJk78eusivaoDb7kXgMNkZYYHA4OT zhc7oTLC2563YMy1toYQoGJDksHILK14kFAHtYNWwX4OPUaTQHGQfM2BI0VCvZeT tkl/Wuj1U+dk980D//KWFTAOjqFPJgK42zMShE+iLDZ9mEJtiA6wJhnR9FrIv7e7 AgL1Pgb9Q0ICCtPiI9d31dxR1N54A0JQFVgnL0+oBlziOJonQTfpVekojJquGGG5 HzuxSrwRiS/Pzv1BBj7tapkJZDdLo2jO96XpIJpDiye6jEZ9n5c93vxFigE7uX+1 iWifmILGZVpwlUGBwWYBW5kjNZJCq/SopyQTsGfszT13YCeWuFDfQuaZ0sOOlTQk A1wRBZ5ONIw5RB8rUYbY =rLZ6 -----END PGP SIGNATURE----- --ADZbWkCsHQ7r3kzd--