Opened 13 years ago

Closed 13 years ago

Last modified 12 years ago

#2697 closed task (fixed)

Imlib2-1.4.2 and BLFS-6.3.

Reported by: Ag. Hatzimanikas Owned by: Ag. Hatzimanikas
Priority: high Milestone:
Component: BOOK Version: SVN
Severity: major Keywords:
Cc:

Description

BLFS-6.3 release shipped with a vulnerable version of Imlib2.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2426 https://bugzilla.redhat.com/show_bug.cgi?id=449073#c4 http://bugs.gentoo.org/223965

The solution was either to upgrade to 1.4.1 or to apply the patch listed in fedora's bug report or to this direct link from gentoo:

http://sources.gentoo.org/viewcvs.py/*checkout*/gentoo-x86/media-libs/imlib2/files/imlib2-1.4.0-CVE-2008-2426.patch

This would be a perfect candidate for errata, but (unfortunately) another vulnerability discovered recently by Julien Danjou (author of the awesome window manager), see:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5187

This was got addressed by upstream.

http://trac.enlightenment.org/e/ticket/136

and the fix, here:

http://trac.enlightenment.org/e/changeset/37744

We can handle the update for the development BLFS, but what about the stable book?

Change History (9)

in reply to:  description ; comment:1 by bdubbs@…, 13 years ago

Replying to ag@…:

We can handle the update for the development BLFS, but what about the stable book?

Just post the proposed wording, and we can get this into the errata very quickly.

in reply to:  1 comment:2 by Ag. Hatzimanikas, 13 years ago

Replying to bdubbs@…:

Just post the proposed wording, and we can get this into the errata very quickly.

I think it's not matter of wording but it's a matter what is the best thing to do, so I really don't know, since even if we say to upgrade to 1.4.1 or to 1.4.2 or apply the patch from gentoo, we'll end up with a vulnerable package.

So we have four choices (in my mind), but all of them ugly (more or less):

a) Ignore the issue

b) Upgrade to the 1.4.2 to the development book with the applied patch and simply say to follow the instructions from the development version of the book

c) concatenate the two patches and then point to it (in errata) with a note to apply it (it might have side effects)

d) (and a similar but more safe but even more uglier) roll a patch with all the changes to the source code since 1.4.0

In my opinion a better option is to release a point release with all the changes (the current and the one from #2687), but this needs conversation first, but if I had to choose by those four it would be the second one.

comment:3 by bdubbs@…, 13 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:4 by bdubbs@…, 13 years ago

Resolution: fixed
Status: assignedclosed

Updated to Imlib2-1.4.2 in revision 7667.

Also added an erratum entry to the stable book's errata web page.

comment:5 by Ag. Hatzimanikas, 13 years ago

Resolution: fixed
Status: closedreopened

Reopening to apply the fix for CVE-2008-5187.

Patch submitted.

comment:6 by Ag. Hatzimanikas, 13 years ago

Owner: changed from bdubbs@… to Ag. Hatzimanikas
Status: reopenednew

comment:7 by bdubbs@…, 13 years ago

Ag, What's going on? I thought that the fix for CVE-2008-5187 was already in 1.4.2.

comment:8 by Ag. Hatzimanikas, 13 years ago

Resolution: fixed
Status: newclosed

No it's not, that's why I said it was over complicated. See last links in the description.

Anyway it was fixed in r7672.

And thanks for the errata entry also.

comment:9 by (none), 12 years ago

Milestone: 6.4

Milestone 6.4 deleted

Note: See TracTickets for help on using tickets.