From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:35375) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1j1GKd-0002T7-Fz for guix-patches@gnu.org; Mon, 10 Feb 2020 16:11:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1j1GKc-0006Yq-5v for guix-patches@gnu.org; Mon, 10 Feb 2020 16:11:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:49629) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1j1GKc-0006YV-1c for guix-patches@gnu.org; Mon, 10 Feb 2020 16:11:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1j1GKb-0004CC-So for guix-patches@gnu.org; Mon, 10 Feb 2020 16:11:01 -0500 Subject: [bug#38687] [PATCH] gnu: Add libtcod. Resent-Message-ID: From: Marius Bakke In-Reply-To: References: <20191220123739.18081-1-goodoldpaul@autistici.org> <875zi6j3c1.fsf@gnu.org> <891e12c54b84a6f4caad6b4c72f1ecba@autistici.org> <87muaftj2u.fsf@devup.no> Date: Mon, 10 Feb 2020 22:10:46 +0100 Message-ID: <87mu9q2lnt.fsf@devup.no> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: goodoldpaul@autistici.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= , 38687@debbugs.gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable goodoldpaul@autistici.org writes: > Hi Marius and Ludo, > I managed to remove all vendored libraries except for glad.h which seems= =20 > to be some kind of generated glue code for loading OpenGL=20 > (https://github.com/Dav1dde/glad). In the next two patches I'm adding=20 > libtcod and it's dependency lodepng. Excellent, thanks for taking the time to get rid of the bundled dependencies. > Guix lint is warning me that lodepng could be affected by=20 > CVE-2019-17178, but taking a look at=20 > https://nvd.nist.gov/vuln/detail/CVE-2019-17178 and=20 > https://nvd.nist.gov/vuln/search/results?adv_search=3Dtrue&cpe_version=3D= cpe%3a%2fa%3alodev%3alodepng%3a2019-09-28=20 > seems to indicate that lodepng should be *not* vulnerable since=20 > 28/09/2019, did I understand correctly? > > Please don't hesitate and tell me if anything should done w.r.t. the=20 > CVE. The CVE entry points to this commit: https://github.com/FreeRDP/FreeRDP/commit/9fee4ae076b1ec97b97efb79ece08d1da= b4df29a Which changes something in FreeRDP's bundled version of LodePNG. The changes in question do not seem to be in upstream LodePNG: https://github.com/lvandeve/lodepng/blob/master/lodepng.cpp#L1079 It's not clear to me whether this is a problem with LodePNG, or just improper use of its API. It looks like the latter: tree->lengths is checked just below the changed line, so FreeRDP must be catching the 83 return code and keep going to get the memory leak described in the CVE entry. We can either ignore it using the 'lint-hidden-cve' property, and add a comment that this version of LodePNG should not be used with FreeRDP; or take the patch from FreeRDP, as it looks innocent enough. I don't really have a strong opinion here, nor sufficient expertise, so I'd be happy if others could chime in. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl5BxtYACgkQoqBt8qM6 VPrY0AgA1WuzKGgN/K23b4yO5eT/gq78BTD+QvZ/YTdxAhdwatfilxDE6vNm5xmT y5FPNnEbfMwlqi8+/LxMZNfCNczzkmXKy8pMt1GW61J+sQzPludhNvAU43SOMdZL 0aKcEXvFh3rKR6/9yk55eENoqfEuI9gYnt335C60qbmBPa0uOXPOEC+k/4E32KR4 O/laJ/YfXFDv/cMWso2M7tA85mN2qrMhKWnJ/mKuxZuOJmxbZpHLAHozNi7KbzUz +tauaBC/rApfUpovgUNFKkJI2PgPigen5MLUl48o4yJU/RvWEqnef9JYtRpCTvia ZgnEujkaBxC7njlCPpfFQfGFKKQguw== =CwEa -----END PGP SIGNATURE----- --=-=-=--