From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]
Date: Fri, 14 Oct 2016 13:48:20 -0400 [thread overview]
Message-ID: <20161014174820.GA30644@jasmine> (raw)
In-Reply-To: <20161014104405.901E322012A@vcs.savannah.gnu.org>
On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
> efraim pushed a commit to branch master
> in repository guix.
>
> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
> Author: Efraim Flashner <efraim@flashner.co.il>
> Date: Fri Oct 14 11:28:21 2016 +0300
>
> gnu: freeimage: Fix CVE-2016-5684.
>
> * gnu/packages/image.scm (freeimage)[source]: Add patch.
> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/image.scm | 3 +-
> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34 ++++++++++++++++++++
> 3 files changed, 37 insertions(+), 1 deletion(-)
Efraim pointed out on IRC that our freeimage packages bundles many
3rd-party libraries:
$ ls -1 FreeImage/Source
CacheFile.h
DeprecationManager
FreeImage
FreeImage.h
FreeImageIO.h
FreeImageLib
FreeImageToolkit
LibJPEG
LibJXR
LibOpenJPEG
LibPNG
LibRawLite
LibTIFF4
LibWebP
MapIntrospector.h
Metadata
OpenEXR
Plugin.h
Quantizers.h
ToneMapping.h
Utilities.h
ZLib
Debian has a patch to make it use "system" copies of the libraries:
https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
For now, our freeimage package is probably vulnerable to many publicly
disclosed security bugs.
Who volunteers to try fixing this?
next parent reply other threads:[~2016-10-14 17:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20161014104404.22087.86582@vcs.savannah.gnu.org>
[not found] ` <20161014104405.901E322012A@vcs.savannah.gnu.org>
2016-10-14 17:48 ` Leo Famulari [this message]
2016-10-15 0:09 ` Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.] Kei Kebreau
2016-10-15 18:03 ` Efraim Flashner
2016-10-15 18:57 ` Kei Kebreau
2016-10-15 19:50 ` Leo Famulari
2016-10-16 2:30 ` Kei Kebreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161014174820.GA30644@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.