squeeze update of librsvg?

Santiago Ruano Rincón santiagorr at riseup.net
Sat Jan 9 18:06:35 UTC 2016


El 30/12/15 a las 01:49, Ben Hutchings escribió:
> Hello dear maintainer(s),
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of librsvg:
> https://security-tracker.debian.org/tracker/CVE-2015-7557
> https://security-tracker.debian.org/tracker/CVE-2015-7558

Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple,
the CVE-2015-7558 is not trivial. It has been fixed by many changes in the
checks of cyclic references, using the new rsvg_acquire_node function
(i.e. https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61).

I cannot find info about how CVE-2015-7558 is exploitable, but I'd say
that is no-dsa. What do you think? What's the security team position
about it?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20160109/e563e635/attachment.sig>

More information about the pkg-gnome-maintainers mailing list