This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow

From: Charles Wilson <cygwin at cwilson dot fastmail dot fm>
To: Mailing List: CygWin-Apps <cygwin-apps at cygwin dot com>
Date: Fri, 27 Jul 2007 00:49:05 -0400
Subject: Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow
References: <4681EC61.7080108@users.sourceforge.net> <20070627072833.GB15182@calimero.vinschen.de> <46A6E9CB.8030008@users.sourceforge.net> <20070725062838.GN19692@calimero.vinschen.de> <20070725063506.GP19692@calimero.vinschen.de> <46A6F0BF.4060104@users.sourceforge.net> <20070725065202.GQ19692@calimero.vinschen.de> <46A6F7D5.2030106@users.sourceforge.net> <46A7F8D1.8080100@users.sourceforge.net> <20070726071758.GA19692@calimero.vinschen.de> <20070726143259.GC31814@ednor.casa.cgf.cx> <46A942FE.5000005@users.sourceforge.net>

Yaakov (Cygwin Ports) wrote:

I'm not sure what you mean by "linked" to rpm. While I'm aware that

popt was originally developed for rpm, it is a separate package used by
many other projects; and while the library (supposedly) hasn't had any
API breakage, surely the functionality has improved over 5+ years.

IOW, upgrading popt should have nothing to do with Cygwin's version of
rpm, although understandably you would want to test that first.

Well, popt is an odd duck. In the days of yore, the version distributed as an integrated part of the rpm source code was more up-to-date than any actual "versioned" release of the separate popt src tarballs. So there was always the question of whether to pull an outdated but official release of popt -src, or to extract it from the rpm tarball.

Then, rpm development kinda died off there for a while (and popt, with it). Now, rpm has been forked: there's the Jeff Johnson version (supported by OpenPkg/Mandriva/PLD, among others) at rpm5.org that's been under active development ever since Jeff left Red Hat in 2005.

Then, there's the Red Hat/Fedora version at rpm.org, supported also by SuSe/Novell, which finally started getting some renewed development from those distros last December -- spurred on, no doubt, by Jeff's "official" announcement of his fork and launch of his rpm5.org site.

In each case, this fork also represents a fork of popt.

So, which one should be used? Obviously, that's up to the popt maintainer. If it were me, I'd have taken a wait-and-see attitude, hoping the forks would settle down (perhaps "unforking" the internal support libraries such as popt.)

--
Chuck

References:
- Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow
  - From: Yaakov (Cygwin Ports)
- Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow
  - From: Corinna Vinschen
- Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow
  - From: Corinna Vinschen
- Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow
  - From: Yaakov (Cygwin Ports)
- Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow
  - From: Corinna Vinschen
- Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow
  - From: Yaakov (Cygwin Ports)
- Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow
  - From: Yaakov (Cygwin Ports)
- Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow
  - From: Corinna Vinschen
- Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow
  - From: Christopher Faylor
- Re: SECURITY: [ GLSA 200706-09 ] libexif: Buffer overflow
  - From: Yaakov (Cygwin Ports)

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]