On Sat, Mar 07, 2015 at 01:14:32AM -0700, Theo de Raadt wrote: > > On Thu, Mar 05, 2015 at 05:52:12PM +0000, Stuart Henderson wrote: > > > On 2015/03/05 12:41, Ted Unangst wrote: > > > > Boudewijn Dijkstra wrote: > > > > > Op Wed, 04 Mar 2015 23:12:07 +0100 schreef Ted Unangst > > > > > <t...@tedunangst.com>: > > > > > > Freetype (http://www.freetype.org/) 2.5.5 was released a little > > > > > > while ago, > > > > > > fixing some security vulnerabilities. Actually as I understand it, > > > > > > 2.5.4 > > > > > > fixed the vulns, then 2.5.5 fixed the fix. > > > > > > > > > > > > OpenBSD 5.7 will ship with 2.5.5; 5.6 shipped with 2.5.3 and is > > > > > > therefore > > > > > > vulnerable. > > > > > > > > > > > > [...] > > > > > > > > > > > > Unfortunately, the FreeType project does not appear to have made > > > > > > these patches > > > > > > available separately from the releases, which makes it difficult > > > > > > for us to > > > > > > apply backports to OpenBSD. > > > > > > > > > > I guess the most important thing is to give users the opportunity to > > > > > fix the vulns. Will there be a CVS tag that 5.6 users can use to > > > > > update FreeType to 2.5.5? > > > > > > > > No. That's too large a change. > > > > > > > > > > Specifically there was a major version number bump to the library in > > > the 2.5.4 update. That means that other programs built to use freetype > > > would also need to be re-built. > > > > > > Moving to -current is considerably easier. > > > > So, in fact all 5.6's users sitting with vuln freetype in base now. > > Excellent! > > Thank you for your wise commentary. > > Are you going to do something -- beyond just being sarcastic? Or is > this a demonstrating of your limited nature. > > The previous mails (enough of the bodies included above) are pretty clear > about the scope of the issue and the reasoning. > > Perhaps there is room here for someone to demonstrate that the wrong > decision has been made, by providing diffs, but the onus would be on > you. Have you started?
No. I wouldn't lift a finger. It is your duty as a developer of "most secure OS". Do it! Or shut up and stop pretending that OpenBSD in any way secure to use.
