Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.

[Leo Famulari <leo@famulari.name>]

[-- Attachment #1: Type: text/plain, Size: 3880 bytes --]

On Sat, Oct 15, 2016 at 08:31:33AM +0800, Alex Vong wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote:
> >> Hi,
> >> 
> >> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366,
> >> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to
> >> 0.17.2.
> >> 
> >
> >> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001
> >> From: Alex Vong <alexvong1995@gmail.com>
> >> Date: Fri, 14 Oct 2016 21:45:47 +0800
> >> Subject: [PATCH] gnu: libraw: Update to 0.17.2.
> >> 
> >> * gnu/packages/photo.scm (libraw): Update to 0.17.2.
> >
> > Thank you for catching this and sending a patch!
> >
> > I added the CVE IDs to the commit message and pushed as
> > b280e67ca6f62c176c72439df4533a9737b9130a.
> >
> >> I think we really need a security tracker as suggested earlier (by Leo I
> >> think), because the bug was disclosed in Dec 2015, so our libraw is
> >> being vulnerable for 3/4 year, which is pretty scary!
> >
> > Did I suggest that? I don't usually suggest creating new infrastructure
> > :)
> >
> Ok. It must be someone else suggesting creating a website... :)
> 
> > If we had a security tracker that is as good as Debian's, I would be
> > thrilled. I look at their tracker almost daily. On the other hand, there
> > are parts of Debian's web infrastructure that seem to be "crumbling" —
> > dead links et cetera. I'm loathe to add non-automated infrastructure to
> > Guix if we can't support it properly. I'd rather lack the infrastructure
> > than have it half-baked.
> >
> > For now I use `guix lint -c cve` and my mailing list / bug tracker
> > subscriptions.
> >
> > By the way, `guix lint -c cve` didn't report these two bugs because they
> > are still not "disclosed" in the database from which we pull our CVE
> > information [0]:
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367
> >
> > That's why it's important for Guix developers / users to pay attention
> > to the upstream development of packages they are interested in. Until
> > upstream security fixes can be reliably detected by an automated system,
> > there are no substitutes for human attention, only complements.
> >
> > [0]
> > http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41
> 
> Thanks for explaining the current situation. I don't know about
> `guix lint -c cve`. It reports many CVE vulnerabilities. How does it
> knows if a particular vulnerability is fixed by a patch?

If I understand correctly, the linter looks for a CVE ID in the patch
file names [0]:

------
(define (check-vulnerabilities package)
  "Check for known vulnerabilities for PACKAGE."
  (let ((package (or (package-replacement package) package)))
    (match (package-vulnerabilities package)
      (()
       #t)
      ((vulnerabilities ...)
       (let* ((patches   (filter-map patch-file-name
                                     (or (and=> (package-source package)
                                                origin-patches)
                                         '())))
              (unpatched (remove (lambda (vuln)
                                   (find (cute string-contains
                                           <> (vulnerability-id vuln))
                                         patches))
                                 vulnerabilities)))
         (unless (null? unpatched)
           (emit-warning package
                         (format #f (_ "probably vulnerable to ~a")
                                 (string-join (map vulnerability-id unpatched)
                                              ", ")))))))))
------

[0]
http://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/lint.scm#n684

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]