From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: libgd security update
Date: Sat, 16 Jul 2016 14:36:27 +0200 [thread overview]
Message-ID: <87wpklahf8.fsf@gnu.org> (raw)
In-Reply-To: <20160715203212.GA10916@jasmine> (Leo Famulari's message of "Fri, 15 Jul 2016 16:32:12 -0400")
Leo Famulari <leo@famulari.name> skribis:
> Several security vulnerabilities in libgd have been discovered recently,
> and today Debian issued a security update:
> https://lists.debian.org/debian-security-announce/2016/msg00197.html
>
> The first patch updates libgd to the latest release, 2.2.2, fixing some
> of the bugs.
>
> For the remaining bugs, I've taken patches from the master branch of the
> libgd Git repo.
>
> Two of the patches included binary files to be used in tests, which
> `patch` cannot handle, so I've removed those parts of the patches.
>
> This patch series was not trivial to create; removing the binary diffs
> required some care, some of the patches depended on changes associated
> with the removed binary diffs, and some upstream fixes were reverted and
> re-committed with changes. Will someone double-check this patch series
> for mistakes?
I am not familiar with neither gd nor this CVE, but at first sight the
changes make sense to me. AIUI they are mostly those in upstream’s
repo, minus the binary test data, so that should be fine.
> From a27a22635f0615495d18b2d78eb90745d5989a0e Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Fri, 15 Jul 2016 14:47:47 -0400
> Subject: [PATCH 1/2] gnu: gd: Update to 2.2.2 [fixes CVE-2016-{5767,6161}].
>
> * gnu/packages/gd.scm (gd): Update to 2.2.2.
[...]
> From 2840ecffd86395bd63734406f924905bac727104 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Fri, 15 Jul 2016 14:48:09 -0400
> Subject: [PATCH 2/2] gnu: gd: Fix CVE-2016-{5766,6128,6132,6214}.
>
> * gnu/packages/patches/gd-CVE-2016-5766.patch,
> gnu/packages/patches/gd-CVE-2016-6128.patch,
> gnu/packages/patches/gd-CVE-2016-6132.patch,
> gnu/packages/patches/gd-CVE-2016-6214.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/gd.scm (gd): Use patches.
I’d say OK for both.
Thanks!
Ludo’.
next prev parent reply other threads:[~2016-07-16 12:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-15 20:32 libgd security update Leo Famulari
2016-07-16 12:36 ` Ludovic Courtès [this message]
2016-07-16 16:51 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wpklahf8.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).