From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:c151::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id 0PcwG/ATR2AqEgAA0tVLHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 09 Mar 2021 06:21:36 +0000
Received: from aspmx2.migadu.com ([2001:41d0:2:c151::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id KDQFF/ATR2BkHwAAB5/wlQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 09 Mar 2021 06:21:36 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx2.migadu.com (Postfix) with ESMTPS id C6CE020EF8
	for <larch@yhetil.org>; Tue,  9 Mar 2021 07:21:35 +0100 (CET)
Received: from localhost ([::1]:48022 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lJVkM-0000Nz-UZ
	for larch@yhetil.org; Tue, 09 Mar 2021 01:21:34 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:51492)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lJVis-0008Lk-M0
 for guix-devel@gnu.org; Tue, 09 Mar 2021 01:20:02 -0500
Received: from mail.zaclys.net ([178.33.93.72]:54335)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lJViq-0007fA-5N
 for guix-devel@gnu.org; Tue, 09 Mar 2021 01:20:02 -0500
Received: from guix-xps.local (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 1296Ju66048147
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <guix-devel@gnu.org>; Tue, 9 Mar 2021 07:19:56 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 1296Ju66048147
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1615270796;
 bh=pvv309lk/H75xlOajEqXmoshoVhfQt83dCSuOsT6bgo=;
 h=Subject:From:To:Date:In-Reply-To:References:From;
 b=BRE0DDcOLvLfsje3YYv6PtWr7ebjaRJ21cotnGgwlOShHz/Gue6OK/9h0pqbjOL+I
 XDPv++Velqnj7OA/BehGX/Q3JMhV41XwIZauirNFA96/2GHjchqfrujLdJt1wOmjJP
 ptMIPfzYvuZdPzCfgSLYvrqPmRXc4zm4kpO1s+sU=
Message-ID: <fbdeea28dae58f7867f152eea30eebdb4a9051aa.camel@zaclys.net>
Subject: Re: libcaca vulnerable to CVE-2021-3410
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@zaclys.net>
To: guix-devel@gnu.org
Date: Tue, 09 Mar 2021 07:19:52 +0100
In-Reply-To: <f4d16b50352a97168d85b90be8452ff1558069f3.camel@zaclys.net>
References: <f4d16b50352a97168d85b90be8452ff1558069f3.camel@zaclys.net>
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-wX4lpP/mqtN6/0S5LPXT"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1615270896;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=pvv309lk/H75xlOajEqXmoshoVhfQt83dCSuOsT6bgo=;
	b=t7RYCV3AgcfsWbt4kv7rwgb2T8bWT7Tvp3HRSf7cM8sMEKuUgTt++xUktQOatNN+TzHoXl
	V2p9yNhX3nUYwDk8/IQc731fWtVBYdxgttZCZ7GifKVXYEb8s8HOuUyNzW5/uR7KayYUSj
	2WRWWJkiiqwsbQow8JldnzSD90/j74zmqQuJAnyIUFdLS70pws9QPAePvwVVZ9crX8DCaF
	9+8MsKU9dn1ZjMyMya0/G20w3cVDaWpNiigeztz/7N3tzkFdKv7PYOueMUPkCIK1qYQe1Q
	HOl6sTSPGlx7920zpTxiMgoSf6G3gqPtyJx8B7gIWre2y6yB4tRK8aPMOz+uyg==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615270896; a=rsa-sha256; cv=none;
	b=W+Ng5oPKaAkhFhzPHfUQaU9PRJik2kVdcrXoooP4vuw1UbZK8+9tO1h28DXbzdhwlx1sX8
	91nYWYUbgfv1+a9VY7sYYCYREGzY9bfPzrEKQ7WY3yNR+rferzRL7pQ9pd1JFsmRkYoCpS
	6MkvEZ9X8MeV02bTc7ODhWDjdvm4F43SmuFfECJlqMZUhrC6ja+bhesIWVKM8/sAMZiR9O
	Y4IDBexKrAIrjcTPM27v22XzwwWvM3gHYvao2ormPEo+eMWDpKM0uDEv+2fOHVTjbX8+SO
	mGHiwLpyOqScGeWxJ48umGW67WYMksbexW17ynf4jq7VwAfyTlNnH4aLdRJXxQ==
ARC-Authentication-Results: i=1;
	aspmx2.migadu.com;
	dkim=pass header.d=zaclys.net header.s=default header.b=BRE0DDcO;
	dmarc=pass (policy=reject) header.from=zaclys.net;
	spf=pass (aspmx2.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -5.18
Authentication-Results: aspmx2.migadu.com;
	dkim=pass header.d=zaclys.net header.s=default header.b=BRE0DDcO;
	dmarc=pass (policy=reject) header.from=zaclys.net;
	spf=pass (aspmx2.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: C6CE020EF8
X-Spam-Score: -5.18
X-Migadu-Scanner: scn1.migadu.com
X-TUID: tMlpYXFWVLGk


--=-wX4lpP/mqtN6/0S5LPXT
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, 2021-03-03 at 21:48 +0100, L=C3=A9o Le Bouter wrote:
> CVE-2021-3410	24.02.21 00:15
> A flaw was found in libcaca v0.99.beta19. A buffer overflow issue in
> caca_resize function in libcaca/caca/canvas.c may lead to local
> execution of arbitrary code in the user context.
>=20
> libcaca has not made a release yet, so you need to look upstream and
> cherry-pick the commits.
>=20
> See https://github.com/cacalabs/libcaca/issues/52

Fixed at fe830ffd8d761cee27edd069e3d99c1ab891cbf3 by Efraim Flashner <
efraim@flashner.co.il>

Thanks

--=-wX4lpP/mqtN6/0S5LPXT
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBHE4gACgkQRaix6GvN
EKYv8BAAsVXlptYn0FzEejP+kpU5TMwPSkZ/za/L9am1gyeI9NRK8k8NbIKCbqdY
9y1WMFoSlToF0D/A1H7400NPMmzAo0QnEdiZiNwOqa0pZSH5OKQGW2d7qXzQwG2/
oGgdR6Zp0YWFRwVD7eRmmVRDP+pVgqDHfZXbg8tuAgqDWu2KfYZ4KPvAk7gz7rJI
4HD8iLugp1NIu8BnIF/bXhGMEqQp+e5Dvqnwd5V6bDH4h4EwLA1udK/NXtYrGw2M
4B8FhuLvOO74Wr0zEfaf/TKip+qv19tK3dGpLWIseBjP7JgF7wMBhUeiTxVWrCQ1
uRpy/uyZr/855A+9ICD8PkYH5xCADrtLu095bftnW6F14YUHiftL+e8q/C0QG2Zx
45eTB1/RNnOlu7+ch9WGRSzBjC+OMqJpNrCAM2m4vp1CNJOXvhd7mg3exnrb5jVB
tiIGIPwcnlejnlDzwJUJdWQZP4kb6S2fhTHASPobJhsImftfVda6Z4hoti/WS589
tKiZ4F1CgpsdjrQixEDSXgZcSJRVpSzokJSuP3pgNmzG5MDjII8FDsZsrWWKtj5s
0drn4UCtz+qP1ZMP7qU0MUB+bXpbrwvHJLiZf9lYhTrH2wfjb3oXZr22l1sblWPI
Ttbkcc2+e4GJpE+BUa2fv9a2yvopQB5KcxmmSvXsY/84M+AOFI4=
=dlpC
-----END PGP SIGNATURE-----

--=-wX4lpP/mqtN6/0S5LPXT--