From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Vong <alexvong1995@gmail.com>
Subject: Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
Date: Sat, 15 Oct 2016 08:31:33 +0800
Message-ID: <87twceqwpm.fsf@gmail.com>
References: <87mvi7f2p9.fsf@gmail.com> <20161014173625.GB23963@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49500)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1bvCtH-00065e-Ck
	for guix-devel@gnu.org; Fri, 14 Oct 2016 20:31:56 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1bvCtD-0002sc-2w
	for guix-devel@gnu.org; Fri, 14 Oct 2016 20:31:54 -0400
Received: from mail-pf0-x229.google.com ([2607:f8b0:400e:c00::229]:36037)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <alexvong1995@gmail.com>)
	id 1bvCtC-0002sJ-RS
	for guix-devel@gnu.org; Fri, 14 Oct 2016 20:31:51 -0400
Received: by mail-pf0-x229.google.com with SMTP id e6so55714171pfk.3
	for <guix-devel@gnu.org>; Fri, 14 Oct 2016 17:31:50 -0700 (PDT)
In-Reply-To: <20161014173625.GB23963@jasmine> (Leo Famulari's message of "Fri,
	14 Oct 2016 13:36:25 -0400")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

> On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote:
>> Hi,
>>=20
>> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366,
>> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to
>> 0.17.2.
>>=20
>
>> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Fri, 14 Oct 2016 21:45:47 +0800
>> Subject: [PATCH] gnu: libraw: Update to 0.17.2.
>>=20
>> * gnu/packages/photo.scm (libraw): Update to 0.17.2.
>
> Thank you for catching this and sending a patch!
>
> I added the CVE IDs to the commit message and pushed as
> b280e67ca6f62c176c72439df4533a9737b9130a.
>
>> I think we really need a security tracker as suggested earlier (by Leo I
>> think), because the bug was disclosed in Dec 2015, so our libraw is
>> being vulnerable for 3/4 year, which is pretty scary!
>
> Did I suggest that? I don't usually suggest creating new infrastructure
> :)
>
Ok. It must be someone else suggesting creating a website... :)

> If we had a security tracker that is as good as Debian's, I would be
> thrilled. I look at their tracker almost daily. On the other hand, there
> are parts of Debian's web infrastructure that seem to be "crumbling" =E2=
=80=94
> dead links et cetera. I'm loathe to add non-automated infrastructure to
> Guix if we can't support it properly. I'd rather lack the infrastructure
> than have it half-baked.
>
> For now I use `guix lint -c cve` and my mailing list / bug tracker
> subscriptions.
>
> By the way, `guix lint -c cve` didn't report these two bugs because they
> are still not "disclosed" in the database from which we pull our CVE
> information [0]:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8366
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8367
>
> That's why it's important for Guix developers / users to pay attention
> to the upstream development of packages they are interested in. Until
> upstream security fixes can be reliably detected by an automated system,
> there are no substitutes for human attention, only complements.
>
> [0]
> http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41

Thanks for explaining the current situation. I don't know about
`guix lint -c cve`. It reports many CVE vulnerabilities. How does it
knows if a particular vulnerability is fixed by a patch?

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJYAXjlAAoJEG6w5RGTUYWArdgH/0QC7Hj7XhI3U83W6shpsqir
He0RSKKrTS+PiljhozqZ5hj81Gd8heYrNjQqoZTp5pAnllmyIly5XcgJh602s6LH
KnivFXCcT8mm555JrrXSH0B4K0jcH5Jg9IS6yx5mDopM9fOc2FJV6rG4DnSNbwBw
gUkf6ziifzIYubFQFpDwWCvhyuuwax06s3Vqy+oHtfMy/8zJt0E6QdN9mfcPPGN3
wCw1YPwjXD7kcsz54c2iYKeQDIxxaP7zQEDMp1H0ugz67hcZupren6A9YTRvYhA5
22RAbowbS14H3VANgiRTFybX7/J2xam+leM7nABtN3FCmdVHW6GUha8doGSMaqg=
=OFbA
-----END PGP SIGNATURE-----
--=-=-=--