[SECURITY] libwmf
Yaakov Selkowitz
yselkowitz@cygwin.com
Mon Jun 8 20:42:00 GMT 2015
On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
> Dr. Volker,
>
> A security vulnerability has been made public for libwmf:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1227243
> http://pkgs.fedoraproject.org/cgit/libwmf.git/plain/libwmf-0.2.8.4-CVE-2015-0848.patch
Actually, it's worse than that. Despite configuring with --with-sys-gd,
libwmf is still being built with the bundled libgd (which has either an
older or custom API) instead of the system one. Therefore, practically
the entire patchset is required to fix all known vulnerabilities:
http://pkgs.fedoraproject.org/cgit/libwmf.git/
--
Yaakov
More information about the Cygwin-apps
mailing list