[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeim
From: |
Leo Famulari |
Subject: |
Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.] |
Date: |
Fri, 14 Oct 2016 13:48:20 -0400 |
User-agent: |
Mutt/1.7.0 (2016-08-17) |
On Fri, Oct 14, 2016 at 10:44:05AM +0000, Efraim Flashner wrote:
> efraim pushed a commit to branch master
> in repository guix.
>
> commit 76e8566c1b3c4876d649e712a5c8c473fd48d134
> Author: Efraim Flashner <address@hidden>
> Date: Fri Oct 14 11:28:21 2016 +0300
>
> gnu: freeimage: Fix CVE-2016-5684.
>
> * gnu/packages/image.scm (freeimage)[source]: Add patch.
> * gnu/packages/patches/freeimage-CVE-2016-5684.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Register it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/image.scm | 3 +-
> gnu/packages/patches/freeimage-CVE-2016-5684.patch | 34
> ++++++++++++++++++++
> 3 files changed, 37 insertions(+), 1 deletion(-)
Efraim pointed out on IRC that our freeimage packages bundles many
3rd-party libraries:
$ ls -1 FreeImage/Source
CacheFile.h
DeprecationManager
FreeImage
FreeImage.h
FreeImageIO.h
FreeImageLib
FreeImageToolkit
LibJPEG
LibJXR
LibOpenJPEG
LibPNG
LibRawLite
LibTIFF4
LibWebP
MapIntrospector.h
Metadata
OpenEXR
Plugin.h
Quantizers.h
ToneMapping.h
Utilities.h
ZLib
Debian has a patch to make it use "system" copies of the libraries:
https://anonscm.debian.org/cgit/debian-science/packages/freeimage.git/tree/debian/patches/Disable-vendored-dependencies.patch?h=debian/sid
For now, our freeimage package is probably vulnerable to many publicly
disclosed security bugs.
Who volunteers to try fixing this?
- Security bugs in freeimage bundled libraries [was Re: 01/02: gnu: freeimage: Fix CVE-2016-5684.],
Leo Famulari <=