This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [SECURITY] libwmf


On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
> Dr. Volker,
> 
> A security vulnerability has been made public for libwmf:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1227243
> http://pkgs.fedoraproject.org/cgit/libwmf.git/plain/libwmf-0.2.8.4-CVE-2015-0848.patch

Actually, it's worse than that.  Despite configuring with --with-sys-gd,
libwmf is still being built with the bundled libgd (which has either an
older or custom API) instead of the system one.  Therefore, practically
the entire patchset is required to fix all known vulnerabilities:

http://pkgs.fedoraproject.org/cgit/libwmf.git/

--
Yaakov



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]