From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2. Date: Sat, 15 Oct 2016 15:52:39 -0400 Message-ID: <20161015195239.GD8809@jasmine> References: <87mvi7f2p9.fsf@gmail.com> <20161014173625.GB23963@jasmine> <87twceqwpm.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="z4+8/lEcDcG5Ke9S" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39779) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bvV0e-0006VI-Fz for guix-devel@gnu.org; Sat, 15 Oct 2016 15:52:45 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bvV0b-0002Zr-Dg for guix-devel@gnu.org; Sat, 15 Oct 2016 15:52:44 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:39343) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1bvV0b-0002Zf-9V for guix-devel@gnu.org; Sat, 15 Oct 2016 15:52:41 -0400 Content-Disposition: inline In-Reply-To: <87twceqwpm.fsf@gmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Alex Vong Cc: guix-devel@gnu.org --z4+8/lEcDcG5Ke9S Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Oct 15, 2016 at 08:31:33AM +0800, Alex Vong wrote: > Leo Famulari writes: >=20 > > On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote: > >> Hi, > >>=20 > >> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366, > >> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw = to > >> 0.17.2. > >>=20 > > > >> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001 > >> From: Alex Vong > >> Date: Fri, 14 Oct 2016 21:45:47 +0800 > >> Subject: [PATCH] gnu: libraw: Update to 0.17.2. > >>=20 > >> * gnu/packages/photo.scm (libraw): Update to 0.17.2. > > > > Thank you for catching this and sending a patch! > > > > I added the CVE IDs to the commit message and pushed as > > b280e67ca6f62c176c72439df4533a9737b9130a. > > > >> I think we really need a security tracker as suggested earlier (by Leo= I > >> think), because the bug was disclosed in Dec 2015, so our libraw is > >> being vulnerable for 3/4 year, which is pretty scary! > > > > Did I suggest that? I don't usually suggest creating new infrastructure > > :) > > > Ok. It must be someone else suggesting creating a website... :) >=20 > > If we had a security tracker that is as good as Debian's, I would be > > thrilled. I look at their tracker almost daily. On the other hand, there > > are parts of Debian's web infrastructure that seem to be "crumbling" = =E2=80=94 > > dead links et cetera. I'm loathe to add non-automated infrastructure to > > Guix if we can't support it properly. I'd rather lack the infrastructure > > than have it half-baked. > > > > For now I use `guix lint -c cve` and my mailing list / bug tracker > > subscriptions. > > > > By the way, `guix lint -c cve` didn't report these two bugs because they > > are still not "disclosed" in the database from which we pull our CVE > > information [0]: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8366 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2015-8367 > > > > That's why it's important for Guix developers / users to pay attention > > to the upstream development of packages they are interested in. Until > > upstream security fixes can be reliably detected by an automated system, > > there are no substitutes for human attention, only complements. > > > > [0] > > http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41 >=20 > Thanks for explaining the current situation. I don't know about > `guix lint -c cve`. It reports many CVE vulnerabilities. How does it > knows if a particular vulnerability is fixed by a patch? If I understand correctly, the linter looks for a CVE ID in the patch file names [0]: ------ (define (check-vulnerabilities package) "Check for known vulnerabilities for PACKAGE." (let ((package (or (package-replacement package) package))) (match (package-vulnerabilities package) (() #t) ((vulnerabilities ...) (let* ((patches (filter-map patch-file-name (or (and=3D> (package-source package) origin-patches) '()))) (unpatched (remove (lambda (vuln) (find (cute string-contains <> (vulnerability-id vuln)) patches)) vulnerabilities))) (unless (null? unpatched) (emit-warning package (format #f (_ "probably vulnerable to ~a") (string-join (map vulnerability-id unpatch= ed) ", "))))))))) ------ [0] http://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/lint.scm#n684 --z4+8/lEcDcG5Ke9S Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYAokHAAoJECZG+jC6yn8IRjYP/2K4mEjIXhRcLN/tyAkFKj7j 5ArsYRYvYHzO+JfhIgEawfvYXBK/nBfO4BtiqExVmPopga0y+jtd0Qvk+Y/7Ura8 Ikk7G02QjY94XM1I6dQ4YmkiTN1OtQaz3AuTsuC2pxeRTXWfnfqr7JVrfOuUD/g1 2kkhpQ2rO5vCtlOA/fFoUJYLHqsuwy8B59t+jLghlNQ5Po4+X8R9mpONNK4R4dLk xp7Q2NfpBiJPUmsv19nXkq+An2dSDdxd9Oq1kNj9FHvMX8DSfhM6EIfdeGml5Iiy IQUQCbqqCb4gIZlOtIv8nyrlGlF4pETgHEPp24zOEUcq1m/O8TcR0MS1aK2/Wp3t B2T0XxgICKbvNSs2LMyPDPXvN2uMjcyAQkGhfTErBuHC+ox2TnjU6NHULKvv9Rkm ncovZks1XVzD4F81Ps+OLQH5BytHHdywDxD9oSg2MiO0+ekIH3Km/tag0GfYKo/n KlOuaqIo3N77vUPJQWbZ8w+R357ysGW5RreW24KcmDGa7DOzt7fapQvEgmJ3xI08 1hiVp2cQz67x8zogRt54dsWVk3568U5TxJ+tB+ws8vP7efo2jkAXPr/+uQt+slGQ l/fqNmfQy1K73s3B826Qkje/v5Z0ietO3uSmLZateYbkDwQZ3QK2/yD8pDkIZQxU it8Twsj20AJwPsPTOsuS =qyv7 -----END PGP SIGNATURE----- --z4+8/lEcDcG5Ke9S--