[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#38687] [PATCH] gnu: Add libtcod.

From: Marius Bakke
Subject: [bug#38687] [PATCH] gnu: Add libtcod.
Date: Mon, 10 Feb 2020 22:10:46 +0100
User-agent: Notmuch/0.29.3 ( Emacs/26.3 (x86_64-pc-linux-gnu)

address@hidden writes:

> Hi Marius and Ludo,
> I managed to remove all vendored libraries except for glad.h which seems 
> to be some kind of generated glue code for loading OpenGL 
> ( In the next two patches I'm adding 
> libtcod and it's dependency lodepng.

Excellent, thanks for taking the time to get rid of the bundled

> Guix lint is warning me that lodepng could be affected by 
> CVE-2019-17178, but taking a look at 
> and 
> seems to indicate that lodepng should  be *not* vulnerable since 
> 28/09/2019, did I understand correctly?
> Please don't hesitate and tell me if anything should done w.r.t. the 
> CVE.

The CVE entry points to this commit:

Which changes something in FreeRDP's bundled version of LodePNG.  The
changes in question do not seem to be in upstream LodePNG:

It's not clear to me whether this is a problem with LodePNG, or just
improper use of its API.  It looks like the latter: tree->lengths is
checked just below the changed line, so FreeRDP must be catching the
83 return code and keep going to get the memory leak described in the
CVE entry.

We can either ignore it using the 'lint-hidden-cve' property, and add a
comment that this version of LodePNG should not be used with FreeRDP; or
take the patch from FreeRDP, as it looks innocent enough.  I don't
really have a strong opinion here, nor sufficient expertise, so I'd be
happy if others could chime in.

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]