#2697 closed task (fixed)
Imlib2-1.4.2 and BLFS-6.3.
| Reported by: | Ag. Hatzimanikas | Owned by: | Ag. Hatzimanikas |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | BOOK | Version: | SVN |
| Severity: | major | Keywords: | |
| Cc: |
Description ¶
BLFS-6.3 release shipped with a vulnerable version of Imlib2.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2426 https://bugzilla.redhat.com/show_bug.cgi?id=449073#c4 http://bugs.gentoo.org/223965
The solution was either to upgrade to 1.4.1 or to apply the patch listed in fedora's bug report or to this direct link from gentoo:
This would be a perfect candidate for errata, but (unfortunately) another vulnerability discovered recently by Julien Danjou (author of the awesome window manager), see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5187
This was got addressed by upstream.
http://trac.enlightenment.org/e/ticket/136
and the fix, here:
http://trac.enlightenment.org/e/changeset/37744
We can handle the update for the development BLFS, but what about the stable book?
Change History (9)
follow-up: 2 comment:1 by , 16 years ago
comment:2 by , 16 years ago
Replying to bdubbs@…:
Just post the proposed wording, and we can get this into the errata very quickly.
I think it's not matter of wording but it's a matter what is the best thing to do, so I really don't know, since even if we say to upgrade to 1.4.1 or to 1.4.2 or apply the patch from gentoo, we'll end up with a vulnerable package.
So we have four choices (in my mind), but all of them ugly (more or less):
a) Ignore the issue
b) Upgrade to the 1.4.2 to the development book with the applied patch and simply say to follow the instructions from the development version of the book
c) concatenate the two patches and then point to it (in errata) with a note to apply it (it might have side effects)
d) (and a similar but more safe but even more uglier) roll a patch with all the changes to the source code since 1.4.0
In my opinion a better option is to release a point release with all the changes (the current and the one from #2687), but this needs conversation first, but if I had to choose by those four it would be the second one.
comment:3 by , 16 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:4 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Updated to Imlib2-1.4.2 in revision 7667.
Also added an erratum entry to the stable book's errata web page.
comment:5 by , 16 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
Reopening to apply the fix for CVE-2008-5187.
Patch submitted.
comment:6 by , 16 years ago
| Owner: | changed from to |
|---|---|
| Status: | reopened → new |
comment:7 by , 16 years ago
Ag, What's going on? I thought that the fix for CVE-2008-5187 was already in 1.4.2.
comment:8 by , 16 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
No it's not, that's why I said it was over complicated. See last links in the description.
Anyway it was fixed in r7672.
And thanks for the errata entry also.
Replying to ag@…:
Just post the proposed wording, and we can get this into the errata very quickly.