Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.]

[Leo Famulari <leo@famulari.name>]

[-- Attachment #1: Type: text/plain, Size: 1720 bytes --]

On Sat, Oct 15, 2016 at 02:57:37PM -0400, Kei Kebreau wrote:
> Efraim Flashner <efraim@flashner.co.il> writes:
> > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
> >> Leo Famulari <leo@famulari.name> writes:
> >> > Debian has a patch to make it use "system" copies of the libraries:
> >> >
> >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
> >> >
> >> > For now, our freeimage package is probably vulnerable to many publicly
> >> > disclosed security bugs.
> >> >
> >> > Who volunteers to try fixing this?
> >> 
> >> The patch is attached. I've removed the bit from Debian that disables JPEG
> >> transformation functions, as seen below. JPEGTransform.cpp (in
> >> Source/FreeImageToolkit) gave me some trouble when I left that part of
> >> the patch alone.
>
> > I was looking at it and I thought it was going to be much more than 400
> > lines in the end.
> >
> > Did we also need the other patch?
> > https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches/Use-system-dependencies.patch/
> >
> > On one hand we could carry a modified version of Debian's patch, on the
> > other hand some of these look like they could be a series of substitute*
> > commands. I started looking through the patch and thinking how to
> > convert them from "../path/to/header.h" to <header.h> and realizing I
> > myself wouldn't want to do that, so that could easily be an option for
> > another time :).
> 
> Looking at its contents, adding that patch would make a lot of sense. :-)

Yes, I think we need to use both patches. Will you submit an updated
version of your patch?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]