From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kei Kebreau Subject: Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.] Date: Sat, 15 Oct 2016 22:30:13 -0400 Message-ID: <87wph9auve.fsf@openmailbox.org> References: <20161014104404.22087.86582@vcs.savannah.gnu.org> <20161014104405.901E322012A@vcs.savannah.gnu.org> <20161014174820.GA30644@jasmine> <87mvi6xyl7.fsf@openmailbox.org> <20161015180335.GC14171@macbook42.flashner.co.il> <87instcue6.fsf@openmailbox.org> <20161015195005.GC8809@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43018) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bvbEf-0006cW-1k for guix-devel@gnu.org; Sat, 15 Oct 2016 22:31:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bvbEb-0008HF-T2 for guix-devel@gnu.org; Sat, 15 Oct 2016 22:31:37 -0400 Received: from smtp17.openmailbox.org ([62.4.1.51]:57208 helo=smtp2.openmailbox.org) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1bvbEb-0008Gl-Lq for guix-devel@gnu.org; Sat, 15 Oct 2016 22:31:33 -0400 In-Reply-To: <20161015195005.GC8809@jasmine> (Leo Famulari's message of "Sat, 15 Oct 2016 15:50:05 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Leo Famulari writes: > On Sat, Oct 15, 2016 at 02:57:37PM -0400, Kei Kebreau wrote: >> Efraim Flashner writes: >> > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote: >> >> Leo Famulari writes: >> >> > Debian has a patch to make it use "system" copies of the libraries: >> >> > >> >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.g= it/tree/debian/patches/Disable-vendored-dependencies.patch?h=3Ddebian/sid >> >> > >> >> > For now, our freeimage package is probably vulnerable to many publi= cly >> >> > disclosed security bugs. >> >> > >> >> > Who volunteers to try fixing this? >> >>=20 >> >> The patch is attached. I've removed the bit from Debian that disables= JPEG >> >> transformation functions, as seen below. JPEGTransform.cpp (in >> >> Source/FreeImageToolkit) gave me some trouble when I left that part of >> >> the patch alone. >> >> > I was looking at it and I thought it was going to be much more than 400 >> > lines in the end. >> > >> > Did we also need the other patch? >> > https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches= /Use-system-dependencies.patch/ >> > >> > On one hand we could carry a modified version of Debian's patch, on the >> > other hand some of these look like they could be a series of substitut= e* >> > commands. I started looking through the patch and thinking how to >> > convert them from "../path/to/header.h" to and realizing I >> > myself wouldn't want to do that, so that could easily be an option for >> > another time :). >>=20 >> Looking at its contents, adding that patch would make a lot of sense. :-) > > Yes, I think we need to use both patches. Will you submit an updated > version of your patch? I intend to. The updated patch requires a JPEG XR library to be packaged (and maybe others), but I am having some trouble getting a source URL from CodePlex. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYAuY1AAoJEOal7jwZRnoNqIMQAMYYQWAZw+BLQ73G9VwEKnDj Y/QxhVfiyv2fZHtz308xQM0f5cai/1KC980fAuUui1Yc3LuRML5Lv9BvAHNYJ0rU UqcxKy3X5WdOYVJykAaqqJ5LLV1FFvM7n/R3z2Wxidlgq60uR2TPJrPFM7Qr+GE6 hx3whVesvWplhsAtzMTtwb4gqIAXi7d9hsOJl18vbCQdpIIn7n5G6WMemgoEUg8A XJWMF8ThoJmht3/msc17zYQUMUMkiMFbcE5vee9KSJDpG4hxyYZxp2tSG9FhW6t9 8OpvY2UP2zDb1ffUfOO1Ec/OtUq4FDatxMa7SwUv9g6AKF6kvx0oP+6lsz2YBlLL aAwwN+BkQdxZy/nGQyAmUPlPjxz8ZlgpYpLI7I++nkxRjd22DNIPHMNQ7MwzpTPr m7EQB5WwM7/XR2C7h0I0Yz1EScZlUa7va87zdNLti+iGy6cWm4O88QxBhMyEyHLj kvXhHpwQWXeDt+umhypbVaV8b/CbW13VSFv8diNfAtHxTmbl6L0DBh9jJ5N+ITfH oeJFj16kkTyxdw3VyyknR0kWdt+4SLWFf7GWsB2Sae/chktHEBdDJCAF3/UQYTK/ ckAWF8B4teKcHBn9Vny16M6O81PXH4eMipcOjUGBNb0wd0T/odYms79Y6IvbLakF 1n+rx6nnY/QdldZrsRPS =o9Ew -----END PGP SIGNATURE----- --=-=-=--