(Forwarding for completeness) ----- Original message ----- From: Moritz Mühlenhoff <j...@inutil.org> To: Chris Lamb <la...@debian.org> Cc: "Manuel A. Fernandez Montecelo" <manuel.montez...@gmail.com>, t...@security.debian.org Subject: Re: Bug#912617: libsdl2-image: CVE-2018-3977: do_layer_surface code execution vulnerability Date: Wed, 7 Nov 2018 23:07:52 +0100
On Wed, Nov 07, 2018 at 05:02:39PM -0500, Chris Lamb wrote: > Dear Moritz, > > I notice you (?) dropped the related bug numbers. Was this deliberate? Sorry, accidental. I meant to strip Salvatore as he's already getting those mails via team@sdo and dropped the bugs by accident. > > I don't think this warrants a DSA, IMG_LoadXCF_RW() doesn't seem be in use > > in the archive at all and it's hard to imagine a real world SDL application > > parsinf XCF files from untrusted sources. > > ACK here. I've updated the tracker for stretch here: > > > https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb671421029223793d3e1e7c4e07d898a1a3aedb > > (Let me know if I shouldn't ever touch stable.) Thanks, commiting changes for stable is totally fine if it's recording existing discussions! Cheers, Moritz
