On Sat, Oct 15, 2016 at 08:31:33AM +0800, Alex Vong wrote: > Leo Famulari <l...@famulari.name> writes: > > > On Fri, Oct 14, 2016 at 10:02:58PM +0800, Alex Vong wrote: > >> Hi, > >> > >> I find out that our libraw (0.17.0) is vulnerable to CVE-2015-{8366, > >> 8367}[0], which is fixed in 0.17.1[1]. The patch below updates libraw to > >> 0.17.2. > >> > > > >> From 4618436db68adbb74f01eb8e771a448cd20e415f Mon Sep 17 00:00:00 2001 > >> From: Alex Vong <alexvong1...@gmail.com> > >> Date: Fri, 14 Oct 2016 21:45:47 +0800 > >> Subject: [PATCH] gnu: libraw: Update to 0.17.2. > >> > >> * gnu/packages/photo.scm (libraw): Update to 0.17.2. > > > > Thank you for catching this and sending a patch! > > > > I added the CVE IDs to the commit message and pushed as > > b280e67ca6f62c176c72439df4533a9737b9130a. > > > >> I think we really need a security tracker as suggested earlier (by Leo I > >> think), because the bug was disclosed in Dec 2015, so our libraw is > >> being vulnerable for 3/4 year, which is pretty scary! > > > > Did I suggest that? I don't usually suggest creating new infrastructure > > :) > > > Ok. It must be someone else suggesting creating a website... :) > > > If we had a security tracker that is as good as Debian's, I would be > > thrilled. I look at their tracker almost daily. On the other hand, there > > are parts of Debian's web infrastructure that seem to be "crumbling" — > > dead links et cetera. I'm loathe to add non-automated infrastructure to > > Guix if we can't support it properly. I'd rather lack the infrastructure > > than have it half-baked. > > > > For now I use `guix lint -c cve` and my mailing list / bug tracker > > subscriptions. > > > > By the way, `guix lint -c cve` didn't report these two bugs because they > > are still not "disclosed" in the database from which we pull our CVE > > information [0]: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8366 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8367 > > > > That's why it's important for Guix developers / users to pay attention > > to the upstream development of packages they are interested in. Until > > upstream security fixes can be reliably detected by an automated system, > > there are no substitutes for human attention, only complements. > > > > [0] > > http://git.savannah.gnu.org/cgit/guix.git/tree/guix/cve.scm#n41 > > Thanks for explaining the current situation. I don't know about > `guix lint -c cve`. It reports many CVE vulnerabilities. How does it > knows if a particular vulnerability is fixed by a patch?
If I understand correctly, the linter looks for a CVE ID in the patch file names [0]: ------ (define (check-vulnerabilities package) "Check for known vulnerabilities for PACKAGE." (let ((package (or (package-replacement package) package))) (match (package-vulnerabilities package) (() #t) ((vulnerabilities ...) (let* ((patches (filter-map patch-file-name (or (and=> (package-source package) origin-patches) '()))) (unpatched (remove (lambda (vuln) (find (cute string-contains <> (vulnerability-id vuln)) patches)) vulnerabilities))) (unless (null? unpatched) (emit-warning package (format #f (_ "probably vulnerable to ~a") (string-join (map vulnerability-id unpatched) ", "))))))))) ------ [0] http://git.savannah.gnu.org/cgit/guix.git/tree/guix/scripts/lint.scm#n684
signature.asc
Description: PGP signature