This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
Re: [SECURITY] libwmf
- From: Yaakov Selkowitz <yselkowitz at cygwin dot com>
- To: cygwin-apps at cygwin dot com
- Cc: "dr dot volker dot zell at oracle dot com" <dr dot volker dot zell at oracle dot com>
- Date: Fri, 26 Jun 2015 11:51:10 -0500
- Subject: Re: [SECURITY] libwmf
- Authentication-results: sourceware.org; auth=none
- References: <1433492253 dot 14544 dot 12 dot camel at cygwin dot com> <1433796174 dot 10576 dot 9 dot camel at cygwin dot com>
On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote:
> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
> > Dr. Volker,
> >
> > A security vulnerability has been made public for libwmf:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243
>
> Actually, it's worse than that. Despite configuring with --with-sys-gd,
> libwmf is still being built with the bundled libgd (which has either an
> older or custom API) instead of the system one. Therefore, practically
> the entire patchset is required to fix all known vulnerabilities:
>
> http://pkgs.fedoraproject.org/cgit/libwmf.git/
Are you still with us?
There has been further additions to that patchset for two more CVEs.
--
Yaakov