all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: Alex Vong <alexvong1995@gmail.com>
Cc: guix-devel@gnu.org
Subject: Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
Date: Sat, 15 Oct 2016 15:52:39 -0400	[thread overview]
Message-ID: <20161015195239.GD8809@jasmine> (raw)
In-Reply-To: <87twceqwpm.fsf@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 3880 bytes --]

On Sat, Oct 15, 2016 at 08:31:33AM +0800, Alex Vong wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote:
> >> Hi,
> >> 
> >> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366,
> >> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to
> >> 0.17.2.
> >> 
> >
> >> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001
> >> From: Alex Vong <alexvong1995@gmail.com>
> >> Date: Fri, 14 Oct 2016 21:45:47 +0800
> >> Subject: [PATCH] gnu: libraw: Update to 0.17.2.
> >> 
> >> * gnu/packages/photo.scm (libraw): Update to 0.17.2.
> >
> > Thank you for catching this and sending a patch!
> >
> > I added the CVE IDs to the commit message and pushed as
> > b280e67ca6f62c176c72439df4533a9737b9130a.
> >
> >> I think we really need a security tracker as suggested earlier (by Leo I
> >> think), because the bug was disclosed in Dec 2015, so our libraw is
> >> being vulnerable for 3/4 year, which is pretty scary!
> >
> > Did I suggest that? I don't usually suggest creating new infrastructure
> > :)
> >
> Ok. It must be someone else suggesting creating a website... :)
> 
> > If we had a security tracker that is as good as Debian's, I would be
> > thrilled. I look at their tracker almost daily. On the other hand, there
> > are parts of Debian's web infrastructure that seem to be "crumbling" —
> > dead links et cetera. I'm loathe to add non-automated infrastructure to
> > Guix if we can't support it properly. I'd rather lack the infrastructure
> > than have it half-baked.
> >
> > For now I use `guix lint -c cve` and my mailing list / bug tracker
> > subscriptions.
> >
> > By the way, `guix lint -c cve` didn't report these two bugs because they
> > are still not "disclosed" in the database from which we pull our CVE
> > information [0]:
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367
> >
> > That's why it's important for Guix developers / users to pay attention
> > to the upstream development of packages they are interested in. Until
> > upstream security fixes can be reliably detected by an automated system,
> > there are no substitutes for human attention, only complements.
> >
> > [0]
> > http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41
> 
> Thanks for explaining the current situation. I don't know about
> `guix lint -c cve`. It reports many CVE vulnerabilities. How does it
> knows if a particular vulnerability is fixed by a patch?

If I understand correctly, the linter looks for a CVE ID in the patch
file names [0]:

------
(define (check-vulnerabilities package)
  "Check for known vulnerabilities for PACKAGE."
  (let ((package (or (package-replacement package) package)))
    (match (package-vulnerabilities package)
      (()
       #t)
      ((vulnerabilities ...)
       (let* ((patches   (filter-map patch-file-name
                                     (or (and=> (package-source package)
                                                origin-patches)
                                         '())))
              (unpatched (remove (lambda (vuln)
                                   (find (cute string-contains
                                           <> (vulnerability-id vuln))
                                         patches))
                                 vulnerabilities)))
         (unless (null? unpatched)
           (emit-warning package
                         (format #f (_ "probably vulnerable to ~a")
                                 (string-join (map vulnerability-id unpatched)
                                              ", ")))))))))
------

[0]
http://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/lint.scm#n684

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

      reply	other threads:[~2016-10-15 19:52 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-14 14:02 [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2 Alex Vong
2016-10-14 17:36 ` Leo Famulari
2016-10-15  0:31   ` Alex Vong
2016-10-15 19:52     ` Leo Famulari [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161015195239.GD8809@jasmine \
    --to=leo@famulari.name \
    --cc=alexvong1995@gmail.com \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.