From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Vong Subject: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2. Date: Fri, 14 Oct 2016 22:02:58 +0800 Message-ID: <87mvi7f2p9.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34873) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bv34y-0001Em-3a for guix-devel@gnu.org; Fri, 14 Oct 2016 10:03:25 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bv34r-0007CR-HH for guix-devel@gnu.org; Fri, 14 Oct 2016 10:03:18 -0400 Received: from mail-pf0-x242.google.com ([2607:f8b0:400e:c00::242]:34557) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bv34r-0007Bl-8V for guix-devel@gnu.org; Fri, 14 Oct 2016 10:03:13 -0400 Received: by mail-pf0-x242.google.com with SMTP id 128so7338062pfz.1 for ; Fri, 14 Oct 2016 07:03:12 -0700 (PDT) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Hi, I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366, 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to 0.17.2. --=-=-= Content-Type: text/x-diff Content-Disposition: inline; filename=0001-gnu-libraw-Update-to-0.17.2.patch Content-Transfer-Encoding: quoted-printable From=204618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Fri, 14 Oct 2016 21:45:47 +0800 Subject: [PATCH] gnu: libraw: Update to 0.17.2. * gnu/packages/photo.scm (libraw): Update to 0.17.2. =2D-- gnu/packages/photo.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm index 8eb5337..f4d110e 100644 =2D-- a/gnu/packages/photo.scm +++ b/gnu/packages/photo.scm @@ -51,14 +51,14 @@ (define-public libraw (package (name "libraw") =2D (version "0.17.0") + (version "0.17.2") (source (origin (method url-fetch) (uri (string-append "http://www.libraw.org/data/LibRaw-" version ".tar.gz")) (sha256 (base32 =2D "043kckxjqanw8dl3m9f6kvsf0l20ywxmgxd1xb0slj6m8l4w4hz6"))= )) + "0p6imxpsfn82i0i9w27fnzq6q6gwzvb9f7sygqqakv36fqnc9c4j")))) (build-system gnu-build-system) (home-page "http://www.libraw.org") (synopsis "Raw image decoder") =2D-=20 2.10.1 --=-=-= Content-Type: text/plain I think we really need a security tracker as suggested earlier (by Leo I think), because the bug was disclosed in Dec 2015, so our libraw is being vulnerable for 3/4 year, which is pretty scary! Alex [0]: https://security-tracker.debian.org/tracker/source-package/libraw [1]: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJYAOWTAAoJEG6w5RGTUYWAk1YH/jaZIJmMqbFVN5mXYUsN02y8 43gyfLY60f3GclVSmGXUE6sRv4iAwpZT0SLlTJaDveTP6I64PzBT7WuWXQ/h8/fG k7TzD0nimwNtvXyJcYWv3ESA94XxlPzZlF8SwRKMG2uTg/SJ+dSAQ2bUVpBU2NcX iccd0v4SEUQh4DN7LDCWdKsMUl8UTtYowF0yYdVwT78xPXEgtXFn4bCDJ6Zn6CY8 A08Ze1oKbUWhTLpH5/K1CLhB0COMx5QMn/U8kiRisrGEI86cbgAsGowu1JcNgfD0 hrUmSFDFk+gv/tTDTqbu6Ejgvko8XpAE577WQ59sbpHGyjT6MN1awFDymVHb3Y8= =rAZX -----END PGP SIGNATURE----- --==-=-=--