Re: [SECURITY] [PATCH] gnu: libraw: Update to 0.17.2.

Fri, 14 Oct 2016 17:32:25 -0700 

Leo Famulari <l...@famulari.name> writes:

> On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote:
>> Hi,
>> 
>> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366,
>> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to
>> 0.17.2.
>> 
>
>> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1...@gmail.com>
>> Date: Fri, 14 Oct 2016 21:45:47 +0800
>> Subject: [PATCH] gnu: libraw: Update to 0.17.2.
>> 
>> * gnu/packages/photo.scm (libraw): Update to 0.17.2.
>
> Thank you for catching this and sending a patch!
>
> I added the CVE IDs to the commit message and pushed as
> b280e67ca6f62c176c72439df4533a9737b9130a.
>
>> I think we really need a security tracker as suggested earlier (by Leo I
>> think), because the bug was disclosed in Dec 2015, so our libraw is
>> being vulnerable for 3/4 year, which is pretty scary!
>
> Did I suggest that? I don't usually suggest creating new infrastructure
> :)
>
Ok. It must be someone else suggesting creating a website... :)

> If we had a security tracker that is as good as Debian's, I would be
> thrilled. I look at their tracker almost daily. On the other hand, there
> are parts of Debian's web infrastructure that seem to be "crumbling" —
> dead links et cetera. I'm loathe to add non-automated infrastructure to
> Guix if we can't support it properly. I'd rather lack the infrastructure
> than have it half-baked.
>
> For now I use `guix lint -c cve` and my mailing list / bug tracker
> subscriptions.
>
> By the way, `guix lint -c cve` didn't report these two bugs because they
> are still not "disclosed" in the database from which we pull our CVE
> information [0]:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367
>
> That's why it's important for Guix developers / users to pay attention
> to the upstream development of packages they are interested in. Until
> upstream security fixes can be reliably detected by an automated system,
> there are no substitutes for human attention, only complements.
>
> [0]
> http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41

Thanks for explaining the current situation. I don't know about
`guix lint -c cve`. It reports many CVE vulnerabilities. How does it
knows if a particular vulnerability is fixed by a patch?

Attachment: signature.asc
Description: PGP signature

Reply via email to