Re: kdesu security update needed

2016-10-03 Thread Leo Famulari
On Mon, Oct 03, 2016 at 11:36:48PM +0200, Ludovic Courtès wrote: > Leo Famulari skribis: > > > On Sat, Oct 01, 2016 at 02:19:05PM +0200, Ludovic Courtès wrote: > >> Leo Famulari skribis: > >> > An aside, the CVE linter gives false positives for grafted packages. For > >> > example, try `guix lin

Re: kdesu security update needed

2016-10-03 Thread Ludovic Courtès
Leo Famulari skribis: > On Sat, Oct 01, 2016 at 02:19:05PM +0200, Ludovic Courtès wrote: >> Leo Famulari skribis: >> > An aside, the CVE linter gives false positives for grafted packages. For >> > example, try `guix lint -c cve openssl@1.0`. >> >> That’s been annoying me for some time so I’d li

Re: kdesu security update needed

2016-10-02 Thread Ludovic Courtès
David Craven skribis: > One question that wasn't answered yet in your description and the > manual is how the linter detects when a package is patched. I assume > it looks at the applied patch names see if they contain a CVE code? Exactly: it checks the version number and the name of the applied

Re: kdesu security update needed

2016-10-01 Thread Leo Famulari
On Sat, Oct 01, 2016 at 02:19:05PM +0200, Ludovic Courtès wrote: > Leo Famulari skribis: > > An aside, the CVE linter gives false positives for grafted packages. For > > example, try `guix lint -c cve openssl@1.0`. > > That’s been annoying me for some time so I’d like to see if we can > improve g

Re: kdesu security update needed

2016-10-01 Thread David Craven
Thank you for the info @Leo and @Ludo, just noticed that it's mentioned in the manual. One question that wasn't answered yet in your description and the manual is how the linter detects when a package is patched. I assume it looks at the applied patch names see if they contain a CVE code?

Re: kdesu security update needed

2016-10-01 Thread Ludovic Courtès
Leo Famulari skribis: > On Thu, Sep 29, 2016 at 08:52:34PM +0200, David Craven wrote: >> Ah just checked our linter doesn't flag a CVE, so I think we're ok... > > The linter is a good tool for catching things that we miss, but it's not > a substitute for manual investigation :) +1 > First, our

Re: kdesu security update needed

2016-09-29 Thread Leo Famulari
On Thu, Sep 29, 2016 at 08:35:53PM +0200, David Craven wrote: > > David, since you added all the KDE packages, can you look into this bug > > and see what we need to do to protect against it? > > They have a vendored kdesu. The source files look pretty different > now, and I'm having a little trou

Re: kdesu security update needed

2016-09-29 Thread Leo Famulari
On Thu, Sep 29, 2016 at 08:52:34PM +0200, David Craven wrote: > Ah just checked our linter doesn't flag a CVE, so I think we're ok... The linter is a good tool for catching things that we miss, but it's not a substitute for manual investigation :) First, our package's name might not match the nam

Re: kdesu security update needed

2016-09-29 Thread David Craven
Ah just checked our linter doesn't flag a CVE, so I think we're ok...

Re: kdesu security update needed

2016-09-29 Thread David Craven
> David, since you added all the KDE packages, can you look into this bug > and see what we need to do to protect against it? They have a vendored kdesu. The source files look pretty different now, and I'm having a little trouble seeing if the problem is in kde kdesu or just kde-cli-tools kdesu. F

kdesu security update needed

2016-09-29 Thread Leo Famulari
kdesu has a string handling bug, CVE-2016-7787: http://seclists.org/oss-sec/2016/q3/653 David, since you added all the KDE packages, can you look into this bug and see what we need to do to protect against it?