Re: Gtk2 1.2495 (stable) available
Hi Tosten, Torsten Schoenfeld wrote (28 Jan 2015 19:31:55 GMT) : On 28.01.2015 17:51, intrigeri wrote: Thanks. I've not seen a CVE request on oss-security (could have missed it, though). Will it be allocated in another way, e.g. from the Red Hat pool? A CVE would help distros a lot. No, we haven't done any kind of official security-related announcement. Do you really need such an official and elaborate effort for this kind of bug fix? *I* don't need this since I read this list :) But for other operating systems, yes, a CVE is needed. In the case at hand, 3 weeks after the bug was fixed: * Fedora 20 and 21 have patched it * Debian still hasn't patched it (my fault) * Ubuntu hasn't patched it * OpenSUSE hasn't patched it = I guess that some major distros have nobody subscribed to gtk-perl-list@ (no big surprise, considering the amount of Perl modules they're packaging), and thus haven't heard of this potential security issue yet. That's one very good reason to issue a CVE in my opinion. These kinds of fixes are done all over the place all the time without special announcements. IMO that's a problem that all OS security teams everywhere are struggling against. A good explanation of why a CVE is needed was provided a few weeks ago by Kurt Seifried (Red Hat product security): http://www.openwall.com/lists/oss-security/2015/01/29/20 Cheers, -- intrigeri ___ gtk-perl-list mailing list gtk-perl-list@gnome.org https://mail.gnome.org/mailman/listinfo/gtk-perl-list
Re: Gtk2 1.2495 (stable) available
Hi all; Outside of the CVE route, GNOME uses the distributors-list mailing list for communication between GNOME modules and downstream distribution teams. It's good to use that list for notifying of changes or releases that have particular impact on distributions. Ciao, Emmanuele. On Wednesday, 18 February 2015, intrigeri intrig...@debian.org wrote: Hi Tosten, Torsten Schoenfeld wrote (28 Jan 2015 19:31:55 GMT) : On 28.01.2015 17:51, intrigeri wrote: Thanks. I've not seen a CVE request on oss-security (could have missed it, though). Will it be allocated in another way, e.g. from the Red Hat pool? A CVE would help distros a lot. No, we haven't done any kind of official security-related announcement. Do you really need such an official and elaborate effort for this kind of bug fix? *I* don't need this since I read this list :) But for other operating systems, yes, a CVE is needed. In the case at hand, 3 weeks after the bug was fixed: * Fedora 20 and 21 have patched it * Debian still hasn't patched it (my fault) * Ubuntu hasn't patched it * OpenSUSE hasn't patched it = I guess that some major distros have nobody subscribed to gtk-perl-list@ (no big surprise, considering the amount of Perl modules they're packaging), and thus haven't heard of this potential security issue yet. That's one very good reason to issue a CVE in my opinion. These kinds of fixes are done all over the place all the time without special announcements. IMO that's a problem that all OS security teams everywhere are struggling against. A good explanation of why a CVE is needed was provided a few weeks ago by Kurt Seifried (Red Hat product security): http://www.openwall.com/lists/oss-security/2015/01/29/20 Cheers, -- intrigeri ___ gtk-perl-list mailing list gtk-perl-list@gnome.org javascript:; https://mail.gnome.org/mailman/listinfo/gtk-perl-list -- https://www.bassi.io [@] ebassi [@gmail.com] ___ gtk-perl-list mailing list gtk-perl-list@gnome.org https://mail.gnome.org/mailman/listinfo/gtk-perl-list
Re: Gtk2 1.2495 (stable) available
Hi, Brian Manning wrote (28 Jan 2015 02:10:23 GMT) : Overview of changes in Gtk2 1.2495 (stable) [2015-01-27] * Fix incorrect memory management in Gtk2::Gdk::Display::list_devices Did that bug have any security implication? Cheers! ___ gtk-perl-list mailing list gtk-perl-list@gnome.org https://mail.gnome.org/mailman/listinfo/gtk-perl-list
Re: Gtk2 1.2495 (stable) available
intrigeri intrigeri+deb...@boum.org: Brian Manning wrote (28 Jan 2015 02:10:23 GMT) : Overview of changes in Gtk2 1.2495 (stable) [2015-01-27] * Fix incorrect memory management in Gtk2::Gdk::Display::list_devices Did that bug have any security implication? The code was freeing memory that gtk+ still holds onto and might access later. So, yes, it is conceivable that this can be exploited. ___ gtk-perl-list mailing list gtk-perl-list@gnome.org https://mail.gnome.org/mailman/listinfo/gtk-perl-list
Re: Gtk2 1.2495 (stable) available
Torsten Schönfeld wrote (28 Jan 2015 16:06:33 GMT) : intrigeri intrigeri+deb...@boum.org: Brian Manning wrote (28 Jan 2015 02:10:23 GMT) : Overview of changes in Gtk2 1.2495 (stable) [2015-01-27] * Fix incorrect memory management in Gtk2::Gdk::Display::list_devices Did that bug have any security implication? The code was freeing memory that gtk+ still holds onto and might access later. So, yes, it is conceivable that this can be exploited. Thanks. I've not seen a CVE request on oss-security (could have missed it, though). Will it be allocated in another way, e.g. from the Red Hat pool? A CVE would help distros a lot. Cheers, -- intrigeri ___ gtk-perl-list mailing list gtk-perl-list@gnome.org https://mail.gnome.org/mailman/listinfo/gtk-perl-list
Re: Gtk2 1.2495 (stable) available
On 28.01.2015 17:51, intrigeri wrote: Torsten Schönfeld wrote (28 Jan 2015 16:06:33 GMT) : intrigeri intrigeri+deb...@boum.org: Brian Manning wrote (28 Jan 2015 02:10:23 GMT) : Overview of changes in Gtk2 1.2495 (stable) [2015-01-27] * Fix incorrect memory management in Gtk2::Gdk::Display::list_devices Did that bug have any security implication? The code was freeing memory that gtk+ still holds onto and might access later. So, yes, it is conceivable that this can be exploited. Thanks. I've not seen a CVE request on oss-security (could have missed it, though). Will it be allocated in another way, e.g. from the Red Hat pool? A CVE would help distros a lot. No, we haven't done any kind of official security-related announcement. Do you really need such an official and elaborate effort for this kind of bug fix? These kinds of fixes are done all over the place all the time without special announcements. ___ gtk-perl-list mailing list gtk-perl-list@gnome.org https://mail.gnome.org/mailman/listinfo/gtk-perl-list
