* [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
@ 2016-10-14 14:02 Alex Vong
2016-10-14 17:36 ` Leo Famulari
0 siblings, 1 reply; 4+ messages in thread
From: Alex Vong @ 2016-10-14 14:02 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 156 bytes --]
Hi,
I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366,
8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to
0.17.2.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-libraw-Update-to-0.17.2.patch --]
[-- Type: text/x-diff, Size: 1153 bytes --]
From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Fri, 14 Oct 2016 21:45:47 +0800
Subject: [PATCH] gnu: libraw: Update to 0.17.2.
* gnu/packages/photo.scm (libraw): Update to 0.17.2.
---
gnu/packages/photo.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
index 8eb5337..f4d110e 100644
--- a/gnu/packages/photo.scm
+++ b/gnu/packages/photo.scm
@@ -51,14 +51,14 @@
(define-public libraw
(package
(name "libraw")
- (version "0.17.0")
+ (version "0.17.2")
(source (origin
(method url-fetch)
(uri (string-append "http://www.libraw.org/data/LibRaw-"
version ".tar.gz"))
(sha256
(base32
- "043kckxjqanw8dl3m9f6kvsf0l20ywxmgxd1xb0slj6m8l4w4hz6"))))
+ "0p6imxpsfn82i0i9w27fnzq6q6gwzvb9f7sygqqakv36fqnc9c4j"))))
(build-system gnu-build-system)
(home-page "http://www.libraw.org")
(synopsis "Raw image decoder")
--
2.10.1
[-- Attachment #1.3: Type: text/plain, Size: 360 bytes --]
I think we really need a security tracker as suggested earlier (by Leo I
think), because the bug was disclosed in Dec 2015, so our libraw is
being vulnerable for 3/4 year, which is pretty scary!
Alex
[0]: https://security-tracker.debian.org/tracker/source-package/libraw
[1]: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 454 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
2016-10-14 14:02 [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2 Alex Vong
@ 2016-10-14 17:36 ` Leo Famulari
2016-10-15 0:31 ` Alex Vong
0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2016-10-14 17:36 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 2068 bytes --]
On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote:
> Hi,
>
> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366,
> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to
> 0.17.2.
>
> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Fri, 14 Oct 2016 21:45:47 +0800
> Subject: [PATCH] gnu: libraw: Update to 0.17.2.
>
> * gnu/packages/photo.scm (libraw): Update to 0.17.2.
Thank you for catching this and sending a patch!
I added the CVE IDs to the commit message and pushed as
b280e67ca6f62c176c72439df4533a9737b9130a.
> I think we really need a security tracker as suggested earlier (by Leo I
> think), because the bug was disclosed in Dec 2015, so our libraw is
> being vulnerable for 3/4 year, which is pretty scary!
Did I suggest that? I don't usually suggest creating new infrastructure
:)
If we had a security tracker that is as good as Debian's, I would be
thrilled. I look at their tracker almost daily. On the other hand, there
are parts of Debian's web infrastructure that seem to be "crumbling" —
dead links et cetera. I'm loathe to add non-automated infrastructure to
Guix if we can't support it properly. I'd rather lack the infrastructure
than have it half-baked.
For now I use `guix lint -c cve` and my mailing list / bug tracker
subscriptions.
By the way, `guix lint -c cve` didn't report these two bugs because they
are still not "disclosed" in the database from which we pull our CVE
information [0]:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367
That's why it's important for Guix developers / users to pay attention
to the upstream development of packages they are interested in. Until
upstream security fixes can be reliably detected by an automated system,
there are no substitutes for human attention, only complements.
[0]
http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
2016-10-14 17:36 ` Leo Famulari
@ 2016-10-15 0:31 ` Alex Vong
2016-10-15 19:52 ` Leo Famulari
0 siblings, 1 reply; 4+ messages in thread
From: Alex Vong @ 2016-10-15 0:31 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 2449 bytes --]
Leo Famulari <leo@famulari.name> writes:
> On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote:
>> Hi,
>>
>> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366,
>> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to
>> 0.17.2.
>>
>
>> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Fri, 14 Oct 2016 21:45:47 +0800
>> Subject: [PATCH] gnu: libraw: Update to 0.17.2.
>>
>> * gnu/packages/photo.scm (libraw): Update to 0.17.2.
>
> Thank you for catching this and sending a patch!
>
> I added the CVE IDs to the commit message and pushed as
> b280e67ca6f62c176c72439df4533a9737b9130a.
>
>> I think we really need a security tracker as suggested earlier (by Leo I
>> think), because the bug was disclosed in Dec 2015, so our libraw is
>> being vulnerable for 3/4 year, which is pretty scary!
>
> Did I suggest that? I don't usually suggest creating new infrastructure
> :)
>
Ok. It must be someone else suggesting creating a website... :)
> If we had a security tracker that is as good as Debian's, I would be
> thrilled. I look at their tracker almost daily. On the other hand, there
> are parts of Debian's web infrastructure that seem to be "crumbling" —
> dead links et cetera. I'm loathe to add non-automated infrastructure to
> Guix if we can't support it properly. I'd rather lack the infrastructure
> than have it half-baked.
>
> For now I use `guix lint -c cve` and my mailing list / bug tracker
> subscriptions.
>
> By the way, `guix lint -c cve` didn't report these two bugs because they
> are still not "disclosed" in the database from which we pull our CVE
> information [0]:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367
>
> That's why it's important for Guix developers / users to pay attention
> to the upstream development of packages they are interested in. Until
> upstream security fixes can be reliably detected by an automated system,
> there are no substitutes for human attention, only complements.
>
> [0]
> http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41
Thanks for explaining the current situation. I don't know about
`guix lint -c cve`. It reports many CVE vulnerabilities. How does it
knows if a particular vulnerability is fixed by a patch?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 454 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
2016-10-15 0:31 ` Alex Vong
@ 2016-10-15 19:52 ` Leo Famulari
0 siblings, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2016-10-15 19:52 UTC (permalink / raw)
To: Alex Vong; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 3880 bytes --]
On Sat, Oct 15, 2016 at 08:31:33AM +0800, Alex Vong wrote:
> Leo Famulari <leo@famulari.name> writes:
>
> > On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote:
> >> Hi,
> >>
> >> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366,
> >> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to
> >> 0.17.2.
> >>
> >
> >> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001
> >> From: Alex Vong <alexvong1995@gmail.com>
> >> Date: Fri, 14 Oct 2016 21:45:47 +0800
> >> Subject: [PATCH] gnu: libraw: Update to 0.17.2.
> >>
> >> * gnu/packages/photo.scm (libraw): Update to 0.17.2.
> >
> > Thank you for catching this and sending a patch!
> >
> > I added the CVE IDs to the commit message and pushed as
> > b280e67ca6f62c176c72439df4533a9737b9130a.
> >
> >> I think we really need a security tracker as suggested earlier (by Leo I
> >> think), because the bug was disclosed in Dec 2015, so our libraw is
> >> being vulnerable for 3/4 year, which is pretty scary!
> >
> > Did I suggest that? I don't usually suggest creating new infrastructure
> > :)
> >
> Ok. It must be someone else suggesting creating a website... :)
>
> > If we had a security tracker that is as good as Debian's, I would be
> > thrilled. I look at their tracker almost daily. On the other hand, there
> > are parts of Debian's web infrastructure that seem to be "crumbling" —
> > dead links et cetera. I'm loathe to add non-automated infrastructure to
> > Guix if we can't support it properly. I'd rather lack the infrastructure
> > than have it half-baked.
> >
> > For now I use `guix lint -c cve` and my mailing list / bug tracker
> > subscriptions.
> >
> > By the way, `guix lint -c cve` didn't report these two bugs because they
> > are still not "disclosed" in the database from which we pull our CVE
> > information [0]:
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367
> >
> > That's why it's important for Guix developers / users to pay attention
> > to the upstream development of packages they are interested in. Until
> > upstream security fixes can be reliably detected by an automated system,
> > there are no substitutes for human attention, only complements.
> >
> > [0]
> > http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41
>
> Thanks for explaining the current situation. I don't know about
> `guix lint -c cve`. It reports many CVE vulnerabilities. How does it
> knows if a particular vulnerability is fixed by a patch?
If I understand correctly, the linter looks for a CVE ID in the patch
file names [0]:
------
(define (check-vulnerabilities package)
"Check for known vulnerabilities for PACKAGE."
(let ((package (or (package-replacement package) package)))
(match (package-vulnerabilities package)
(()
#t)
((vulnerabilities ...)
(let* ((patches (filter-map patch-file-name
(or (and=> (package-source package)
origin-patches)
'())))
(unpatched (remove (lambda (vuln)
(find (cute string-contains
<> (vulnerability-id vuln))
patches))
vulnerabilities)))
(unless (null? unpatched)
(emit-warning package
(format #f (_ "probably vulnerable to ~a")
(string-join (map vulnerability-id unpatched)
", ")))))))))
------
[0]
http://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/lint.scm#n684
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-10-15 19:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-10-14 14:02 [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2 Alex Vong
2016-10-14 17:36 ` Leo Famulari
2016-10-15 0:31 ` Alex Vong
2016-10-15 19:52 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).