From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: [PATCH 0/2] Update imlib2 and patch against CVE-2016-4024 Date: Wed, 20 Apr 2016 23:19:52 -0400 Message-ID: Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43604) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1at59X-0003Zx-0d for guix-devel@gnu.org; Wed, 20 Apr 2016 23:19:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1at59S-0004NX-1a for guix-devel@gnu.org; Wed, 20 Apr 2016 23:19:38 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:38477) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1at59R-0004NF-TV for guix-devel@gnu.org; Wed, 20 Apr 2016 23:19:33 -0400 Received: from jasmine.lan (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id E8168C00018 for ; Wed, 20 Apr 2016 23:19:31 -0400 (EDT) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org This applies from a patch from imlib2's source code repository. The change fixes an integer overflow on 32-bit machines. The upstream says: Security implications: *) for 32-bit machines: insufficient heap allocation and heap overwrite in many image loaders, with escalation potential to remote code execution; *) for 64-bit machines: it seems, no impact. In the patch file, there are references to imlib2's source repo and the CVE page on Mitre. I tested that feh and scrot still work with this change. Leo Famulari (2): gnu: imlib2: Update to 1.4.8. gnu: imlib2: Fix CVE-2016-4024. gnu-system.am | 1 + gnu/packages/image.scm | 5 ++- gnu/packages/patches/imlib2-CVE-2016-4024.patch | 52 +++++++++++++++++++++++++ 3 files changed, 56 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/imlib2-CVE-2016-4024.patch -- 2.7.4