From: Leo Famulari <leo@famulari.name>
To: Alex Vong <alexvong1995@gmail.com>
Cc: guix-devel@gnu.org
Subject: Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.
Date: Sat, 15 Oct 2016 15:52:39 -0400 [thread overview]
Message-ID: <20161015195239.GD8809@jasmine> (raw)
In-Reply-To: <87twceqwpm.fsf@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3880 bytes --]
On Sat, Oct 15, 2016 at 08:31:33AM +0800, Alex Vong wrote:
> Leo Famulari <leo@famulari.name> writes:
>
> > On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote:
> >> Hi,
> >>
> >> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366,
> >> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to
> >> 0.17.2.
> >>
> >
> >> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001
> >> From: Alex Vong <alexvong1995@gmail.com>
> >> Date: Fri, 14 Oct 2016 21:45:47 +0800
> >> Subject: [PATCH] gnu: libraw: Update to 0.17.2.
> >>
> >> * gnu/packages/photo.scm (libraw): Update to 0.17.2.
> >
> > Thank you for catching this and sending a patch!
> >
> > I added the CVE IDs to the commit message and pushed as
> > b280e67ca6f62c176c72439df4533a9737b9130a.
> >
> >> I think we really need a security tracker as suggested earlier (by Leo I
> >> think), because the bug was disclosed in Dec 2015, so our libraw is
> >> being vulnerable for 3/4 year, which is pretty scary!
> >
> > Did I suggest that? I don't usually suggest creating new infrastructure
> > :)
> >
> Ok. It must be someone else suggesting creating a website... :)
>
> > If we had a security tracker that is as good as Debian's, I would be
> > thrilled. I look at their tracker almost daily. On the other hand, there
> > are parts of Debian's web infrastructure that seem to be "crumbling" —
> > dead links et cetera. I'm loathe to add non-automated infrastructure to
> > Guix if we can't support it properly. I'd rather lack the infrastructure
> > than have it half-baked.
> >
> > For now I use `guix lint -c cve` and my mailing list / bug tracker
> > subscriptions.
> >
> > By the way, `guix lint -c cve` didn't report these two bugs because they
> > are still not "disclosed" in the database from which we pull our CVE
> > information [0]:
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367
> >
> > That's why it's important for Guix developers / users to pay attention
> > to the upstream development of packages they are interested in. Until
> > upstream security fixes can be reliably detected by an automated system,
> > there are no substitutes for human attention, only complements.
> >
> > [0]
> > http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41
>
> Thanks for explaining the current situation. I don't know about
> `guix lint -c cve`. It reports many CVE vulnerabilities. How does it
> knows if a particular vulnerability is fixed by a patch?
If I understand correctly, the linter looks for a CVE ID in the patch
file names [0]:
------
(define (check-vulnerabilities package)
"Check for known vulnerabilities for PACKAGE."
(let ((package (or (package-replacement package) package)))
(match (package-vulnerabilities package)
(()
#t)
((vulnerabilities ...)
(let* ((patches (filter-map patch-file-name
(or (and=> (package-source package)
origin-patches)
'())))
(unpatched (remove (lambda (vuln)
(find (cute string-contains
<> (vulnerability-id vuln))
patches))
vulnerabilities)))
(unless (null? unpatched)
(emit-warning package
(format #f (_ "probably vulnerable to ~a")
(string-join (map vulnerability-id unpatched)
", ")))))))))
------
[0]
http://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/lint.scm#n684
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
prev parent reply other threads:[~2016-10-15 19:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-10-14 14:02 [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2 Alex Vong
2016-10-14 17:36 ` Leo Famulari
2016-10-15 0:31 ` Alex Vong
2016-10-15 19:52 ` Leo Famulari [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161015195239.GD8809@jasmine \
--to=leo@famulari.name \
--cc=alexvong1995@gmail.com \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.