This is the mail archive of the
mailing list for the Cygwin project.
Re: [SECURITY] libwmf
- From: "Dr. Volker Zell" <dr dot volker dot zell at oracle dot com>
- To: Yaakov Selkowitz <yselkowitz at cygwin dot com>
- Cc: cygwin-apps at cygwin dot com, "Dr. Volker Zell" <dr dot volker dot zell at oracle dot com>
- Date: Fri, 10 Jul 2015 07:43:02 +0200
- Subject: Re: [SECURITY] libwmf
- Authentication-results: sourceware.org; auth=none
- References: <1433492253 dot 14544 dot 12 dot camel at cygwin dot com> <1433796174 dot 10576 dot 9 dot camel at cygwin dot com> <1435337470 dot 11720 dot 23 dot camel at cygwin dot com> <vriv381a33vq dot fsf at VZELL-LAP dot de dot oracle dot com> <1436472549 dot 7208 dot 46 dot camel at cygwin dot com>
>>>>> Yaakov Selkowitz writes:
> On Mon, 2015-06-29 at 17:56 +0200, Dr. Volker Zell wrote:
>> >>>>> Yaakov Selkowitz writes:
>> > On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote:
>> >> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
>> >> > Dr. Volker,
>> >> >
>> >> > A security vulnerability has been made public for libwmf:
>> >> >
>> >> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243
>> >> Actually, it's worse than that. Despite configuring with --with-sys-gd,
>> >> libwmf is still being built with the bundled libgd (which has either an
>> >> older or custom API) instead of the system one. Therefore, practically
>> >> the entire patchset is required to fix all known vulnerabilities:
>> >> http://pkgs.fedoraproject.org/cgit/libwmf.git/
>> > Are you still with us?
>> Yes, but NO time right now (plus upcoming vacation)
> Understood, I've uploaded 0.2.8.4-15 with the complete patchset.
> BTW, tzcode has been a bit neglected as of late, and it's the sort of
> package that really needs to be kept timely (forgive the pun). Would
> you mind if we took over maintainership?
Just go ahead...