Re: squeeze update of librsvg?

To: Josselin Mouette <joss@debian.org>, debian-lts@lists.debian.org, David Weinehall <tao@debian.org>, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>, Emilio Pozuelo Monfort <pochu@debian.org>, Sebastian Dröge <slomo@debian.org>, team@security.debian.org
Subject: Re: squeeze update of librsvg?
From: Santiago Ruano Rincón <santiagorr@riseup.net>
Date: Sat, 9 Jan 2016 19:06:35 +0100
Message-id: <[🔎] 20160109180634.GA21309@nomada>
In-reply-to: <1451440184.25978.62.camel@debian.org>
References: <1451440184.25978.62.camel@debian.org>

Hi,

El 30/12/15 a las 01:49, Ben Hutchings escribió:
> Hello dear maintainer(s),
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of librsvg:
> https://security-tracker.debian.org/tracker/CVE-2015-7557
> https://security-tracker.debian.org/tracker/CVE-2015-7558

Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple,
the CVE-2015-7558 is not trivial. It has been fixed by many changes in the
checks of cyclic references, using the new rsvg_acquire_node function
(i.e. https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61).

I cannot find info about how CVE-2015-7558 is exploitable, but I'd say
that is no-dsa. What do you think? What's the security team position
about it?

Cheers,

Santiago

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: squeeze update of librsvg?
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: another squeeze cacti update?
Next by Date: Re: another squeeze cacti update?
Previous by thread: Re: Updates to debian-security-support
Next by thread: Re: squeeze update of librsvg?
Index(es):
- Date
- Thread