[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: libgd security update

From: Ludovic Courtès
Subject: Re: libgd security update
Date: Sat, 16 Jul 2016 14:36:27 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Leo Famulari <address@hidden> skribis:

> Several security vulnerabilities in libgd have been discovered recently,
> and today Debian issued a security update:
> The first patch updates libgd to the latest release, 2.2.2, fixing some
> of the bugs.
> For the remaining bugs, I've taken patches from the master branch of the
> libgd Git repo.
> Two of the patches included binary files to be used in tests, which
> `patch` cannot handle, so I've removed those parts of the patches.
> This patch series was not trivial to create; removing the binary diffs
> required some care, some of the patches depended on changes associated
> with the removed binary diffs, and some upstream fixes were reverted and
> re-committed with changes. Will someone double-check this patch series
> for mistakes?

I am not familiar with neither gd nor this CVE, but at first sight the
changes make sense to me.  AIUI they are mostly those in upstream’s
repo, minus the binary test data, so that should be fine.

> From a27a22635f0615495d18b2d78eb90745d5989a0e Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Fri, 15 Jul 2016 14:47:47 -0400
> Subject: [PATCH 1/2] gnu: gd: Update to 2.2.2 [fixes CVE-2016-{5767,6161}].
> * gnu/packages/gd.scm (gd): Update to 2.2.2.


> From 2840ecffd86395bd63734406f924905bac727104 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Fri, 15 Jul 2016 14:48:09 -0400
> Subject: [PATCH 2/2] gnu: gd: Fix CVE-2016-{5766,6128,6132,6214}.
> * gnu/packages/patches/gd-CVE-2016-5766.patch,
> gnu/packages/patches/gd-CVE-2016-6128.patch,
> gnu/packages/patches/gd-CVE-2016-6132.patch,
> gnu/packages/patches/gd-CVE-2016-6214.patch: New files.
> * gnu/ (dist_patch_DATA): Add them.
> * gnu/packages/gd.scm (gd): Use patches.

I’d say OK for both.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]