squeeze update of librsvg?

Santiago Ruano Rincón santiagorr at riseup.net
Tue Jan 19 14:29:50 UTC 2016


Hi Salvatore,

El 18/01/16 a las 08:57, Salvatore Bonaccorso escribió:
> Hi Santiago,
> 
> Sorry for the late reply.
>

No worries!

> On Sat, Jan 09, 2016 at 07:06:35PM +0100, Santiago Ruano Rincón wrote:
> > Hi,
> > 
> > El 30/12/15 a las 01:49, Ben Hutchings escribió:
> > > Hello dear maintainer(s),
> > > 
> > > the Debian LTS team would like to fix the security issues which are
> > > currently open in the Squeeze version of librsvg:
> > > https://security-tracker.debian.org/tracker/CVE-2015-7557
> > > https://security-tracker.debian.org/tracker/CVE-2015-7558
> > 
> > Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple,
> > the CVE-2015-7558 is not trivial. It has been fixed by many changes in the
> > checks of cyclic references, using the new rsvg_acquire_node function
> > (i.e. https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61).
> > 
> > I cannot find info about how CVE-2015-7558 is exploitable, but I'd say
> > that is no-dsa. What do you think? What's the security team position
> > about it?
> 
> I have marked one issue as no-dsa for wheezy- and jessie
> (CVE-2015-7557). 

I had prepared a squeeze package to fix it, and even if it isn't a
critical issue, I prefer to upload it given that the work is done.

> Regarding CVE-2015-7558, not sure here. But if the
> fix is too intrusive to backport we can mark it as <no-dsa> (Too
> intrusive to backport).

At least for Squeeze, it's indeed too intrusive. I haven't taken a look
yet into Wheezy or Jessie.

Cheers,

Santiago
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20160119/02c1348c/attachment-0001.sig>


More information about the pkg-gnome-maintainers mailing list