From mboxrd@z Thu Jan  1 00:00:00 1970
From: Kei Kebreau <kei@openmailbox.org>
Subject: Re: Security bugs in freeimage bundled libraries [was Re: 01/02: gnu:
	freeimage: Fix CVE-2016-5684.]
Date: Sat, 15 Oct 2016 22:30:13 -0400
Message-ID: <87wph9auve.fsf@openmailbox.org>
References: <20161014104404.22087.86582@vcs.savannah.gnu.org>
	<20161014104405.901E322012A@vcs.savannah.gnu.org>
	<20161014174820.GA30644@jasmine> <87mvi6xyl7.fsf@openmailbox.org>
	<20161015180335.GC14171@macbook42.flashner.co.il>
	<87instcue6.fsf@openmailbox.org> <20161015195005.GC8809@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:43018)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <kei@openmailbox.org>) id 1bvbEf-0006cW-1k
	for guix-devel@gnu.org; Sat, 15 Oct 2016 22:31:38 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <kei@openmailbox.org>) id 1bvbEb-0008HF-T2
	for guix-devel@gnu.org; Sat, 15 Oct 2016 22:31:37 -0400
Received: from smtp17.openmailbox.org ([62.4.1.51]:57208
	helo=smtp2.openmailbox.org)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <kei@openmailbox.org>) id 1bvbEb-0008Gl-Lq
	for guix-devel@gnu.org; Sat, 15 Oct 2016 22:31:33 -0400
In-Reply-To: <20161015195005.GC8809@jasmine> (Leo Famulari's message of "Sat,
	15 Oct 2016 15:50:05 -0400")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Leo Famulari <leo@famulari.name> writes:

> On Sat, Oct 15, 2016 at 02:57:37PM -0400, Kei Kebreau wrote:
>> Efraim Flashner <efraim@flashner.co.il> writes:
>> > On Fri, Oct 14, 2016 at 08:09:08PM -0400, Kei Kebreau wrote:
>> >> Leo Famulari <leo@famulari.name> writes:
>> >> > Debian has a patch to make it use "system" copies of the libraries:
>> >> >
>> >> > https://anonscm.debian.org/cgit/debian-science/packages/freeimage.g=
it/tree/debian/patches/Disable-vendored-dependencies.patch?h=3Ddebian/sid
>> >> >
>> >> > For now, our freeimage package is probably vulnerable to many publi=
cly
>> >> > disclosed security bugs.
>> >> >
>> >> > Who volunteers to try fixing this?
>> >>=20
>> >> The patch is attached. I've removed the bit from Debian that disables=
 JPEG
>> >> transformation functions, as seen below. JPEGTransform.cpp (in
>> >> Source/FreeImageToolkit) gave me some trouble when I left that part of
>> >> the patch alone.
>>
>> > I was looking at it and I thought it was going to be much more than 400
>> > lines in the end.
>> >
>> > Did we also need the other patch?
>> > https://sources.debian.net/src/freeimage/3.17.0%2Bds1-3/debian/patches=
/Use-system-dependencies.patch/
>> >
>> > On one hand we could carry a modified version of Debian's patch, on the
>> > other hand some of these look like they could be a series of substitut=
e*
>> > commands. I started looking through the patch and thinking how to
>> > convert them from "../path/to/header.h" to <header.h> and realizing I
>> > myself wouldn't want to do that, so that could easily be an option for
>> > another time :).
>>=20
>> Looking at its contents, adding that patch would make a lot of sense. :-)
>
> Yes, I think we need to use both patches. Will you submit an updated
> version of your patch?

I intend to. The updated patch requires a JPEG XR library to be packaged
(and maybe others), but I am having some trouble getting a source URL
from CodePlex.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYAuY1AAoJEOal7jwZRnoNqIMQAMYYQWAZw+BLQ73G9VwEKnDj
Y/QxhVfiyv2fZHtz308xQM0f5cai/1KC980fAuUui1Yc3LuRML5Lv9BvAHNYJ0rU
UqcxKy3X5WdOYVJykAaqqJ5LLV1FFvM7n/R3z2Wxidlgq60uR2TPJrPFM7Qr+GE6
hx3whVesvWplhsAtzMTtwb4gqIAXi7d9hsOJl18vbCQdpIIn7n5G6WMemgoEUg8A
XJWMF8ThoJmht3/msc17zYQUMUMkiMFbcE5vee9KSJDpG4hxyYZxp2tSG9FhW6t9
8OpvY2UP2zDb1ffUfOO1Ec/OtUq4FDatxMa7SwUv9g6AKF6kvx0oP+6lsz2YBlLL
aAwwN+BkQdxZy/nGQyAmUPlPjxz8ZlgpYpLI7I++nkxRjd22DNIPHMNQ7MwzpTPr
m7EQB5WwM7/XR2C7h0I0Yz1EScZlUa7va87zdNLti+iGy6cWm4O88QxBhMyEyHLj
kvXhHpwQWXeDt+umhypbVaV8b/CbW13VSFv8diNfAtHxTmbl6L0DBh9jJ5N+ITfH
oeJFj16kkTyxdw3VyyknR0kWdt+4SLWFf7GWsB2Sae/chktHEBdDJCAF3/UQYTK/
ckAWF8B4teKcHBn9Vny16M6O81PXH4eMipcOjUGBNb0wd0T/odYms79Y6IvbLakF
1n+rx6nnY/QdldZrsRPS
=o9Ew
-----END PGP SIGNATURE-----
--=-=-=--