This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
Re: [SECURITY] libwmf
- From: Yaakov Selkowitz <yselkowitz at cygwin dot com>
- To: cygwin-apps at cygwin dot com
- Date: Mon, 08 Jun 2015 15:42:54 -0500
- Subject: Re: [SECURITY] libwmf
- Authentication-results: sourceware.org; auth=none
- References: <1433492253 dot 14544 dot 12 dot camel at cygwin dot com>
On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
> Dr. Volker,
>
> A security vulnerability has been made public for libwmf:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1227243
> http://pkgs.fedoraproject.org/cgit/libwmf.git/plain/libwmf-0.2.8.4-CVE-2015-0848.patch
Actually, it's worse than that. Despite configuring with --with-sys-gd,
libwmf is still being built with the bundled libgd (which has either an
older or custom API) instead of the system one. Therefore, practically
the entire patchset is required to fix all known vulnerabilities:
http://pkgs.fedoraproject.org/cgit/libwmf.git/
--
Yaakov