Raphael Geissert <[email protected]> writes: > Package: darktable > Severity: grave > Tags: security patch > > Hi, > > There's a double free in the embedded copy of libraw included in your package. > If possible, please use the system copy instead.
So far, this still seems to be impossible, as discussed in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682980 > > For more info: > http://www.openwall.com/lists/oss-security/2013/05/29/7 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710353#17 > > Could you please prepare fixed packages for stable, to be included in > point releases? I'm not sure yet that the vulnerability occurs in the version of libraw embedded in darktable. There is some relevant discussion on the darktable developers list http://article.gmane.org/gmane.comp.graphics.darktable.devel/2628 If nothing else, the proposed patch won't apply, because raw_alloc doesn't occur at all in src/External/LibRaw/src/libraw_cxx.cpp I'll update the bug when I know more. d -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
