This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [SECURITY] libpng vulnerabilities

From: "Yaakov (Cygwin/X)" <yselkowitz at users dot sourceforge dot net>
To: cygwin-apps <cygwin-apps at cygwin dot com>
Date: Tue, 26 Jul 2011 18:44:56 -0500
Subject: Re: [SECURITY] libpng vulnerabilities
References: <1311709387.5672.10.camel@YAAKOV04> <4E2F19FC.1020707@cwilson.fastmail.fm> <1311712683.5672.41.camel@YAAKOV04> <4E2F346A.2000000@cwilson.fastmail.fm>

On Tue, 2011-07-26 at 17:40 -0400, Charles Wilson wrote:
> On 7/26/2011 4:38 PM, Yaakov (Cygwin/X) wrote:
> > On Tue, 2011-07-26 at 15:48 -0400, Charles Wilson wrote:
> >> General question: would it be acceptable to move libpng10 to obsolete
> >> (removing libpng10-devel), and NOT update it -- rather than removing it
> >> entirely?
> > 
> > No, because anything which others may have built against it would remain
> > vulnerable (and the same goes for the old libpng2 BTW). 
> > If libpng10 stays, it needs to be updated,
> 
> Nope, disagree.

What else is new. :-)

> If something is obsolete, then the maintainer IMO has no further obligation
> to keep it updated.

If we weren't discussing a security vulnerability, I would agree.  But
as long as it remains in the distribution, we have a responsibility to
make sure that it's not vulnerable.

> Removing a DLL immediately breaks -- as in, nonfunctional -- all apps that
> rely on it, and that's just evil.  (I know, WJM and all, but there's mean,
> and then there's evil).

Removing a package from the distro doesn't remove it from users'
systems, so if anyone has anything built against libpng10, it will not
break, we just won't take responsibility for it anymore.  Of course, an
announcement should be made to this effect.

Therefore, since nothing in the distro relies on libpng10 anymore, so I
see no problem in just pulling it entirely.  I don't even think that's
mean, particularly given libpng10's age (libpng12 was added in May 2002,
and libpng14 last August).

> It should be the user's choice whether to continue using an old DLL that
> may have a security flaw, rather than us saying: too bad. I'm going to
> make it so you can't run that app anymore, because I know better than
> you. Very Microsoftian.

The major distros all remove obsolete shlibs from their repos once
nothing further therein depends on it; why should we be any different,
particularly when doing so doesn't break existing user-built apps?

> My question is, whether it is just too cheesy to move a currently
> NON-obsolete, but very old and apparently unused, DLL /into/ obsolete
> status, MERELY to avoid the need to update it.

Definitely, it seems irresponsible on our part.

> > but removing libpng10-devel is a good idea in any case.
> 
> Well, on that we agree.

While we're at it, once the following packages are rebuilt, we can
remove libpng12-devel as well:

autotrace
fltk
gd
ImageMagick
ming
plotutils
libAfterImage
libwmf
XmHTML

Yaakov

References:
- [SECURITY] libpng vulnerabilities
  - From: Yaakov (Cygwin/X)
- Re: [SECURITY] libpng vulnerabilities
  - From: Charles Wilson
- Re: [SECURITY] libpng vulnerabilities
  - From: Yaakov (Cygwin/X)
- Re: [SECURITY] libpng vulnerabilities
  - From: Charles Wilson

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]