This is the mail archive of the
mailing list for the Cygwin project.
Re: [SECURITY] libwmf
- From: Yaakov Selkowitz <yselkowitz at cygwin dot com>
- To: cygwin-apps at cygwin dot com
- Cc: "Dr. Volker Zell" <dr dot volker dot zell at oracle dot com>
- Date: Thu, 09 Jul 2015 15:09:09 -0500
- Subject: Re: [SECURITY] libwmf
- Authentication-results: sourceware.org; auth=none
- References: <1433492253 dot 14544 dot 12 dot camel at cygwin dot com> <1433796174 dot 10576 dot 9 dot camel at cygwin dot com> <1435337470 dot 11720 dot 23 dot camel at cygwin dot com> <vriv381a33vq dot fsf at VZELL-LAP dot de dot oracle dot com>
On Mon, 2015-06-29 at 17:56 +0200, Dr. Volker Zell wrote:
> >>>>> Yaakov Selkowitz writes:
> > On Mon, 2015-06-08 at 15:42 -0500, Yaakov Selkowitz wrote:
> >> On Fri, 2015-06-05 at 03:17 -0500, Yaakov Selkowitz wrote:
> >> > Dr. Volker,
> >> >
> >> > A security vulnerability has been made public for libwmf:
> >> >
> >> > https://bugzilla.redhat.com/show_bug.cgi?id=1227243
> >> Actually, it's worse than that. Despite configuring with --with-sys-gd,
> >> libwmf is still being built with the bundled libgd (which has either an
> >> older or custom API) instead of the system one. Therefore, practically
> >> the entire patchset is required to fix all known vulnerabilities:
> >> http://pkgs.fedoraproject.org/cgit/libwmf.git/
> > Are you still with us?
> Yes, but NO time right now (plus upcoming vacation)
Understood, I've uploaded 0.2.8.4-15 with the complete patchset.
BTW, tzcode has been a bit neglected as of late, and it's the sort of
package that really needs to be kept timely (forgive the pun). Would
you mind if we took over maintainership?