On 04/26/2016 07:03 PM, Santiago Torres wrote: > On Tue, Apr 26, 2016 at 06:48:15PM +0200, Kim Woelders wrote: >> On 04/26/2016 01:27 AM, Simon Lees wrote: >>> >>> >>> On 04/26/2016 04:43 AM, Santiago Torres wrote: >>>> Hello everyone, >>>> >>>> I'm part of Arch's CVE monitoring team. We noticed that there are 4/5 >>>> CVE's fixed on the latest commits of imlib2, but they are not part of >>>> the latest release. >>>> >>>> We were wondering if a new release is scheduled to come out soon, as we >>>> would like to integrate these fixes in our version of imlib2 >>>> >>>> Having an official release of imlib2 would make things easier for >>>> packagers, so they don't have to backport the fixes from the VCS. >>>> >>>> Thanks in advance! >>>> -Santiago. >>>> >>> >>> Hi Santiago, >>> >>> I believe its being organised once the issues stop rolling in, from a >>> security perspective none of the issues are any more then minor. I'm >>> waiting for the same for openSUSE, unfortunately for SUSE Linux >>> Enterprise i've had to backport a bunch of stuff. >>> >>> Cheers >>> >> If we are done for now I'll roll a release in a couple of days. > > Nice! Much appreciated. > >> >> I believe these are the CVEs fixed since 1.4.8: >> CVE-2011-5326: Fix divide-by-zero on 2x1 ellipse >> CVE-2016-3993: Fix off-by-one OOB read >> CVE-2016-3994: Fix out-of-bounds read in the GIF loader >> CVE-2016-4024: Fix integer overflow >> >> Please correct me if I'm wrong. > > I might be wrong, but isn't CVE-2014-9771 somewhere around there also? > > more info here: http://seclists.org/oss-sec/2016/q2/43 > > Thanks! > -Santiago. > The commit referred to there is https://git.enlightenment.org/legacy/imlib2.git/commit/?id=143f299, which is in 1.4.7.
However, I'm not quite sure if the problem was really solved before https://git.enlightenment.org/legacy/imlib2.git/commit/?id=7eba2e4, which apparently is the fix to CVE-2016-4024. For simplicity I'd prefer to pretend that CVE-2014-9771 was fixed by 1.4.7 and CVE-2016-4024 by 1.4.9 (to be released). /Kim ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
