From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Vong Subject: Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2. Date: Sat, 15 Oct 2016 08:31:33 +0800 Message-ID: <87twceqwpm.fsf@gmail.com> References: <87mvi7f2p9.fsf@gmail.com> <20161014173625.GB23963@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49500) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bvCtH-00065e-Ck for guix-devel@gnu.org; Fri, 14 Oct 2016 20:31:56 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bvCtD-0002sc-2w for guix-devel@gnu.org; Fri, 14 Oct 2016 20:31:54 -0400 Received: from mail-pf0-x229.google.com ([2607:f8b0:400e:c00::229]:36037) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1bvCtC-0002sJ-RS for guix-devel@gnu.org; Fri, 14 Oct 2016 20:31:51 -0400 Received: by mail-pf0-x229.google.com with SMTP id e6so55714171pfk.3 for ; Fri, 14 Oct 2016 17:31:50 -0700 (PDT) In-Reply-To: <20161014173625.GB23963@jasmine> (Leo Famulari's message of "Fri, 14 Oct 2016 13:36:25 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote: >> Hi, >>=20 >> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366, >> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to >> 0.17.2. >>=20 > >> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001 >> From: Alex Vong >> Date: Fri, 14 Oct 2016 21:45:47 +0800 >> Subject: [PATCH] gnu: libraw: Update to 0.17.2. >>=20 >> * gnu/packages/photo.scm (libraw): Update to 0.17.2. > > Thank you for catching this and sending a patch! > > I added the CVE IDs to the commit message and pushed as > b280e67ca6f62c176c72439df4533a9737b9130a. > >> I think we really need a security tracker as suggested earlier (by Leo I >> think), because the bug was disclosed in Dec 2015, so our libraw is >> being vulnerable for 3/4 year, which is pretty scary! > > Did I suggest that? I don't usually suggest creating new infrastructure > :) > Ok. It must be someone else suggesting creating a website... :) > If we had a security tracker that is as good as Debian's, I would be > thrilled. I look at their tracker almost daily. On the other hand, there > are parts of Debian's web infrastructure that seem to be "crumbling" =E2= =80=94 > dead links et cetera. I'm loathe to add non-automated infrastructure to > Guix if we can't support it properly. I'd rather lack the infrastructure > than have it half-baked. > > For now I use `guix lint -c cve` and my mailing list / bug tracker > subscriptions. > > By the way, `guix lint -c cve` didn't report these two bugs because they > are still not "disclosed" in the database from which we pull our CVE > information [0]: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8366 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8367 > > That's why it's important for Guix developers / users to pay attention > to the upstream development of packages they are interested in. Until > upstream security fixes can be reliably detected by an automated system, > there are no substitutes for human attention, only complements. > > [0] > http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41 Thanks for explaining the current situation. I don't know about `guix lint -c cve`. It reports many CVE vulnerabilities. How does it knows if a particular vulnerability is fixed by a patch? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJYAXjlAAoJEG6w5RGTUYWArdgH/0QC7Hj7XhI3U83W6shpsqir He0RSKKrTS+PiljhozqZ5hj81Gd8heYrNjQqoZTp5pAnllmyIly5XcgJh602s6LH KnivFXCcT8mm555JrrXSH0B4K0jcH5Jg9IS6yx5mDopM9fOc2FJV6rG4DnSNbwBw gUkf6ziifzIYubFQFpDwWCvhyuuwax06s3Vqy+oHtfMy/8zJt0E6QdN9mfcPPGN3 wCw1YPwjXD7kcsz54c2iYKeQDIxxaP7zQEDMp1H0ugz67hcZupren6A9YTRvYhA5 22RAbowbS14H3VANgiRTFybX7/J2xam+leM7nABtN3FCmdVHW6GUha8doGSMaqg= =OFbA -----END PGP SIGNATURE----- --=-=-=--