unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: Kei Kebreau <kei@openmailbox.org>
Cc: guix-devel@gnu.org
Subject: Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
Date: Sat, 15 Oct 2016 15:50:05 -0400	[thread overview]
Message-ID: <20161015195005.GC8809@jasmine> (raw)
In-Reply-To: <87instcue6.fsf@openmailbox.org>

[-- Attachment #1: Type: text/plain, Size: 1720 bytes --]

On Sat, Oct 15, 2016 at 02:57:37PM -0400, Kei Kebreau wrote:
> Efraim Flashner <efraim@flashner.co.il> writes:
> > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
> >> Leo Famulari <leo@famulari.name> writes:
> >> > Debian has a patch to make it use "system" copies of the libraries:
> >> >
> >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
> >> >
> >> > For now, our freeimage package is probably vulnerable to many publicly
> >> > disclosed security bugs.
> >> >
> >> > Who volunteers to try fixing this?
> >> 
> >> The patch is attached. I've removed the bit from Debian that disables JPEG
> >> transformation functions, as seen below. JPEGTransform.cpp (in
> >> Source/FreeImageToolkit) gave me some trouble when I left that part of
> >> the patch alone.
>
> > I was looking at it and I thought it was going to be much more than 400
> > lines in the end.
> >
> > Did we also need the other patch?
> > https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
> >
> > On one hand we could carry a modified version of Debian's patch, on the
> > other hand some of these look like they could be a series of substitute*
> > commands. I started looking through the patch and thinking how to
> > convert them from "../path/to/header.h" to <header.h> and realizing I
> > myself wouldn't want to do that, so that could easily be an option for
> > another time :).
> 
> Looking at its contents, adding that patch would make a lot of sense. :-)

Yes, I think we need to use both patches. Will you submit an updated
version of your patch?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

  reply	other threads:[~2016-10-15 19:50 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20161014104404.22087.86582@vcs.savannah.gnu.org>
     [not found] ` <20161014104405.901E322012A@vcs.savannah.gnu.org>
2016-10-14 17:48   ` Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.] Leo Famulari
2016-10-15  0:09     ` Kei Kebreau
2016-10-15 18:03       ` Efraim Flashner
2016-10-15 18:57         ` Kei Kebreau
2016-10-15 19:50           ` Leo Famulari [this message]
2016-10-16  2:30             ` Kei Kebreau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161015195005.GC8809@jasmine \
    --to=leo@famulari.name \
    --cc=guix-devel@gnu.org \
    --cc=kei@openmailbox.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).