Hi,
I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366,
8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to
0.17.2.From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1...@gmail.com>
Date: Fri, 14 Oct 2016 21:45:47 +0800
Subject: [PATCH] gnu: libraw: Update to 0.17.2.
* gnu/packages/photo.scm (libraw): Update to 0.17.2.
---
gnu/packages/photo.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/photo.scm b/gnu/packages/photo.scm
index 8eb5337..f4d110e 100644
--- a/gnu/packages/photo.scm
+++ b/gnu/packages/photo.scm
@@ -51,14 +51,14 @@
(define-public libraw
(package
(name "libraw")
- (version "0.17.0")
+ (version "0.17.2")
(source (origin
(method url-fetch)
(uri (string-append "http://www.libraw.org/data/LibRaw-";
version ".tar.gz"))
(sha256
(base32
- "043kckxjqanw8dl3m9f6kvsf0l20ywxmgxd1xb0slj6m8l4w4hz6"))))
+ "0p6imxpsfn82i0i9w27fnzq6q6gwzvb9f7sygqqakv36fqnc9c4j"))))
(build-system gnu-build-system)
(home-page "http://www.libraw.org";)
(synopsis "Raw image decoder")
--
2.10.1
I think we really need a security tracker as suggested earlier (by Leo I think), because the bug was disclosed in Dec 2015, so our libraw is being vulnerable for 3/4 year, which is pretty scary! Alex [0]: https://security-tracker.debian.org/tracker/source-package/libraw [1]: https://github.com/LibRaw/LibRaw/commit/89d065424f09b788f443734d44857289489ca9e2
signature.asc
Description: PGP signature
