From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH 0/2] Update imlib2 and patch against CVE-2016-4024 Date: Sat, 23 Apr 2016 00:01:02 -0400 Message-ID: <20160423040102.GA2094@jasmine> References: <87bn51ggem.fsf@netris.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49236) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1atoko-0007ZC-FN for guix-devel@gnu.org; Sat, 23 Apr 2016 00:01:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1atokk-00086e-G0 for guix-devel@gnu.org; Sat, 23 Apr 2016 00:01:10 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:55077) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1atokk-00086N-C6 for guix-devel@gnu.org; Sat, 23 Apr 2016 00:01:06 -0400 Content-Disposition: inline In-Reply-To: <87bn51ggem.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver Cc: guix-devel@gnu.org On Fri, Apr 22, 2016 at 11:20:17PM -0400, Mark H Weaver wrote: > Leo Famulari writes: > > > This applies from a patch from imlib2's source code repository. > > > > The change fixes an integer overflow on 32-bit machines. The upstream > > says: > > > > Security implications: > > *) for 32-bit machines: insufficient heap allocation and heap overwrite > > in many image loaders, with escalation potential to remote code > > execution; > > *) for 64-bit machines: it seems, no impact. > > > > In the patch file, there are references to imlib2's source repo and the > > CVE page on Mitre. > > > > I tested that feh and scrot still work with this change. > > Looks good to me. Please push. Done as e993fb84