SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow
Charles Wilson
cygwin@cwilson.fastmail.fm
Fri Jul 27 04:49:00 GMT 2007
Yaakov (Cygwin Ports) wrote:
>> I'm not sure what you mean by "linked" to rpm. While I'm aware that
> popt was originally developed for rpm, it is a separate package used by
> many other projects; and while the library (supposedly) hasn't had any
> API breakage, surely the functionality has improved over 5+ years.
>
> IOW, upgrading popt should have nothing to do with Cygwin's version of
> rpm, although understandably you would want to test that first.
Well, popt is an odd duck. In the days of yore, the version distributed
as an integrated part of the rpm source code was more up-to-date than
any actual "versioned" release of the separate popt src tarballs. So
there was always the question of whether to pull an outdated but
official release of popt -src, or to extract it from the rpm tarball.
Then, rpm development kinda died off there for a while (and popt, with
it). Now, rpm has been forked: there's the Jeff Johnson version
(supported by OpenPkg/Mandriva/PLD, among others) at rpm5.org that's
been under active development ever since Jeff left Red Hat in 2005.
Then, there's the Red Hat/Fedora version at rpm.org, supported also by
SuSe/Novell, which finally started getting some renewed development from
those distros last December -- spurred on, no doubt, by Jeff's
"official" announcement of his fork and launch of his rpm5.org site.
In each case, this fork also represents a fork of popt.
So, which one should be used? Obviously, that's up to the popt
maintainer. If it were me, I'd have taken a wait-and-see attitude,
hoping the forks would settle down (perhaps "unforking" the internal
support libraries such as popt.)
--
Chuck
More information about the Cygwin-apps
mailing list