From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: [PATCH 0/2] Update imlib2 and patch against CVE-2016-4024 Date: Fri, 22 Apr 2016 23:20:17 -0400 Message-ID: <87bn51ggem.fsf@netris.org> References: Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43862) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ato7n-0000X9-SM for guix-devel@gnu.org; Fri, 22 Apr 2016 23:20:52 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ato7k-0005uo-Me for guix-devel@gnu.org; Fri, 22 Apr 2016 23:20:51 -0400 Received: from world.peace.net ([50.252.239.5]:37704) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ato7k-0005ug-JL for guix-devel@gnu.org; Fri, 22 Apr 2016 23:20:48 -0400 In-Reply-To: (Leo Famulari's message of "Wed, 20 Apr 2016 23:19:52 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari writes: > This applies from a patch from imlib2's source code repository. > > The change fixes an integer overflow on 32-bit machines. The upstream > says: > > Security implications: > *) for 32-bit machines: insufficient heap allocation and heap overwrite > in many image loaders, with escalation potential to remote code > execution; > *) for 64-bit machines: it seems, no impact. > > In the patch file, there are references to imlib2's source repo and the > CVE page on Mitre. > > I tested that feh and scrot still work with this change. Looks good to me. Please push. Thanks! Mark