This is the mail archive of the
cygwin-apps
mailing list for the Cygwin project.
Re: [SECURITY] libwmf
- From: "Dr. Volker Zell" <dr dot volker dot zell at oracle dot com>
- To: Yaakov Selkowitz <yselkowitz at cygwin dot com>
- Cc: cygwin-apps at cygwin dot com, "dr dot volker dot zell at oracle dot com" <dr dot volker dot zell at oracle dot com>
- Date: Mon, 29 Jun 2015 17:56:09 +0200
- Subject: Re: [SECURITY] libwmf
- Authentication-results: sourceware.org; auth=none
- References: <1433492253 dot 14544 dot 12 dot camel at cygwin dot com> <1433796174 dot 10576 dot 9 dot camel at cygwin dot com> <1435337470 dot 11720 dot 23 dot camel at cygwin dot com>
>>>>> Yaakov Selkowitz writes:
> On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote:
>> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
>> > Dr. Volker,
>> >
>> > A security vulnerability has been made public for libwmf:
>> >
>> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243
>>
>> Actually, it's worse than that. Despite configuring with --with-sys-gd,
>> libwmf is still being built with the bundled libgd (which has either an
>> older or custom API) instead of the system one. Therefore, practically
>> the entire patchset is required to fix all known vulnerabilities:
>>
>> http://pkgs.fedoraproject.org/cgit/libwmf.git/
> Are you still with us?
Yes, but NO time right now (plus upcoming vacation)
Ciao
Volker