On 04/27/2016 04:25 AM, Kim Woelders wrote: > On 04/26/2016 07:03 PM, Santiago Torres wrote: >> On Tue, Apr 26, 2016 at 06:48:15PM +0200, Kim Woelders wrote: >>> On 04/26/2016 01:27 AM, Simon Lees wrote: >>>> >>>> >>>> On 04/26/2016 04:43 AM, Santiago Torres wrote: >>>>> Hello everyone, >>>>> >>>>> I'm part of Arch's CVE monitoring team. We noticed that there are 4/5 >>>>> CVE's fixed on the latest commits of imlib2, but they are not part of >>>>> the latest release. >>>>> >>>>> We were wondering if a new release is scheduled to come out soon, as we >>>>> would like to integrate these fixes in our version of imlib2 >>>>> >>>>> Having an official release of imlib2 would make things easier for >>>>> packagers, so they don't have to backport the fixes from the VCS. >>>>> >>>>> Thanks in advance! >>>>> -Santiago. >>>>> >>>> >>>> Hi Santiago, >>>> >>>> I believe its being organised once the issues stop rolling in, from a >>>> security perspective none of the issues are any more then minor. I'm >>>> waiting for the same for openSUSE, unfortunately for SUSE Linux >>>> Enterprise i've had to backport a bunch of stuff. >>>> >>>> Cheers >>>> >>> If we are done for now I'll roll a release in a couple of days. >> >> Nice! Much appreciated. >> >>> >>> I believe these are the CVEs fixed since 1.4.8: >>> CVE-2011-5326: Fix divide-by-zero on 2x1 ellipse >>> CVE-2016-3993: Fix off-by-one OOB read >>> CVE-2016-3994: Fix out-of-bounds read in the GIF loader >>> CVE-2016-4024: Fix integer overflow >>> >>> Please correct me if I'm wrong. >> >> I might be wrong, but isn't CVE-2014-9771 somewhere around there also? >> >> more info here: http://seclists.org/oss-sec/2016/q2/43 >> >> Thanks! >> -Santiago. >> > The commit referred to there is > https://git.enlightenment.org/legacy/imlib2.git/commit/?id=143f299, > which is in 1.4.7. > > However, I'm not quite sure if the problem was really solved before > https://git.enlightenment.org/legacy/imlib2.git/commit/?id=7eba2e4, > which apparently is the fix to CVE-2016-4024. > > For simplicity I'd prefer to pretend that CVE-2014-9771 was fixed by > 1.4.7 and CVE-2016-4024 by 1.4.9 (to be released). > > /Kim >
Here is my list, theres a few that have been fixed in previous releases
but only got reported as security incidents and had CVE's assigned this
year.
CVE-2014-9762 - 1.4.7 - 39641e74a560982fbf93f29bf96b37d27803cb56 - This
was reverted as part of one of the later commits.
CVE-2014-9763 - 1.4.7 - c21beaf1780cf3ca291735ae7d58a3dde63277a2
CVE-2014-9764 - 1.4.7 - 1f9b0b32728803a1578e658cd0955df773e34f49
CVE-2016-3994 - New - 37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8
bfa12b68fed3c4bb5f6ab9389a116002eaf6842f
1efd42161484bafc7dd6174c5a97e190c573dd2a
CVE-2016-3993 - New - ce94edca1ccfbe314cb7cd9453433fad404ec7ef
CVE-2011-5326 - New - c94d83ccab15d5ef02f88d42dce38ed3f0892882
CVE-2014-9771 - 1.4.7 - 143f2993d7ccb73b26bb83abac6fa86f443981f9
CVE-2016-4024 - New - 7eba2e4c8ac0e20838947f10f29d0efe1add8227 (This
was introduced in the fix for CVE-2014-9771)
Santiago note that the following also effect efl:
CVE-2014-9762
https://git.enlightenment.org/core/efl.git/commit/?id=dd90b6afadf706aafec9e53a6b1efa8f899ab277
CVE-2016-3994
https://git.enlightenment.org/core/efl.git/commit/?id=f56e33f429cfc165a5a7e7c75c5b2271ba8b58d8
https://git.enlightenment.org/core/efl.git/commit/?id=dd90b6afadf706aafec9e53a6b1efa8f899ab277
--
Simon Lees (Simotek) http://simotek.net
Emergency Update Team keybase.io/simotek
SUSE Linux Adeliade Australia, UTC+9:30
GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
