On 04/28/2016 11:00 AM, Simon Lees wrote: > > > On 04/28/2016 09:38 AM, Simon Lees wrote: >> >> >> On 04/27/2016 04:25 AM, Kim Woelders wrote: >>> On 04/26/2016 07:03 PM, Santiago Torres wrote: >>>> On Tue, Apr 26, 2016 at 06:48:15PM +0200, Kim Woelders wrote: >>>>> On 04/26/2016 01:27 AM, Simon Lees wrote: >>>>>> >>>>>> >>>>>> On 04/26/2016 04:43 AM, Santiago Torres wrote: >>>>>>> Hello everyone, >>>>>>> >>>>>>> I'm part of Arch's CVE monitoring team. We noticed that there are 4/5 >>>>>>> CVE's fixed on the latest commits of imlib2, but they are not part of >>>>>>> the latest release. >>>>>>> >>>>>>> We were wondering if a new release is scheduled to come out soon, as we >>>>>>> would like to integrate these fixes in our version of imlib2 >>>>>>> >>>>>>> Having an official release of imlib2 would make things easier for >>>>>>> packagers, so they don't have to backport the fixes from the VCS. >>>>>>> >>>>>>> Thanks in advance! >>>>>>> -Santiago. >>>>>>> >>>>>> >>>>>> Hi Santiago, >>>>>> >>>>>> I believe its being organised once the issues stop rolling in, from a >>>>>> security perspective none of the issues are any more then minor. I'm >>>>>> waiting for the same for openSUSE, unfortunately for SUSE Linux >>>>>> Enterprise i've had to backport a bunch of stuff. >>>>>> >>>>>> Cheers >>>>>> >>>>> If we are done for now I'll roll a release in a couple of days. >>>> >>>> Nice! Much appreciated. >>>> >>>>> >>>>> I believe these are the CVEs fixed since 1.4.8: >>>>> CVE-2011-5326: Fix divide-by-zero on 2x1 ellipse >>>>> CVE-2016-3993: Fix off-by-one OOB read >>>>> CVE-2016-3994: Fix out-of-bounds read in the GIF loader >>>>> CVE-2016-4024: Fix integer overflow >>>>> >>>>> Please correct me if I'm wrong. >>>> >>>> I might be wrong, but isn't CVE-2014-9771 somewhere around there also? >>>> >>>> more info here: http://seclists.org/oss-sec/2016/q2/43 >>>> >>>> Thanks! >>>> -Santiago. >>>> >>> The commit referred to there is >>> https://git.enlightenment.org/legacy/imlib2.git/commit/?id=143f299, >>> which is in 1.4.7. >>> >>> However, I'm not quite sure if the problem was really solved before >>> https://git.enlightenment.org/legacy/imlib2.git/commit/?id=7eba2e4, >>> which apparently is the fix to CVE-2016-4024. >>> >>> For simplicity I'd prefer to pretend that CVE-2014-9771 was fixed by >>> 1.4.7 and CVE-2016-4024 by 1.4.9 (to be released). >>> >>> /Kim >>> >> >> Here is my list, theres a few that have been fixed in previous releases >> but only got reported as security incidents and had CVE's assigned this >> year. >> >> CVE-2014-9762 - 1.4.7 - 39641e74a560982fbf93f29bf96b37d27803cb56 - This >> was reverted as part of one of the later commits. >> CVE-2014-9763 - 1.4.7 - c21beaf1780cf3ca291735ae7d58a3dde63277a2 >> CVE-2014-9764 - 1.4.7 - 1f9b0b32728803a1578e658cd0955df773e34f49 >> CVE-2016-3994 - New - 37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8 >> bfa12b68fed3c4bb5f6ab9389a116002eaf6842f >> 1efd42161484bafc7dd6174c5a97e190c573dd2a >> CVE-2016-3993 - New - ce94edca1ccfbe314cb7cd9453433fad404ec7ef >> CVE-2011-5326 - New - c94d83ccab15d5ef02f88d42dce38ed3f0892882 >> CVE-2014-9771 - 1.4.7 - 143f2993d7ccb73b26bb83abac6fa86f443981f9 >> CVE-2016-4024 - New - 7eba2e4c8ac0e20838947f10f29d0efe1add8227 (This >> was introduced in the fix for CVE-2014-9771) >> >> >> Santiago note that the following also effect efl: >> CVE-2014-9762 >> https://git.enlightenment.org/core/efl.git/commit/?id=dd90b6afadf706aafec9e53a6b1efa8f899ab277 >> >> CVE-2016-3994 >> https://git.enlightenment.org/core/efl.git/commit/?id=f56e33f429cfc165a5a7e7c75c5b2271ba8b58d8 >> https://git.enlightenment.org/core/efl.git/commit/?id=dd90b6afadf706aafec9e53a6b1efa8f899ab277 >> > > Seen as people like to give CVE's to everything that can trigger a crash > I'll request one for a0259d5181b9bd5c2e74077dea4ae36472798a96 as well > and post back here once its assigned > > Hi we probably won't proceed with this unless someone can give
Hi we probably won't proceed with taking out a CVE unless someone can give us a clear indication of what and where the potential crashes were. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adeliade Australia, UTC+9:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
