Re: squeeze update of librsvg?
- To: Santiago Ruano Rincón <santiagorr@riseup.net>
- Cc: Josselin Mouette <joss@debian.org>, debian-lts@lists.debian.org, David Weinehall <tao@debian.org>, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>, Emilio Pozuelo Monfort <pochu@debian.org>, Sebastian Dröge <slomo@debian.org>, team@security.debian.org
- Subject: Re: squeeze update of librsvg?
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Mon, 18 Jan 2016 08:57:22 +0100
- Message-id: <[🔎] 20160118075722.GA17689@eldamar.local>
- Mail-followup-to: Santiago Ruano Rincón <santiagorr@riseup.net>, Josselin Mouette <joss@debian.org>, debian-lts@lists.debian.org, David Weinehall <tao@debian.org>, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>, Emilio Pozuelo Monfort <pochu@debian.org>, Sebastian Dröge <slomo@debian.org>, team@security.debian.org
- In-reply-to: <[🔎] 20160109180634.GA21309@nomada>
- References: <1451440184.25978.62.camel@debian.org> <[🔎] 20160109180634.GA21309@nomada>
Hi Santiago,
Sorry for the late reply.
On Sat, Jan 09, 2016 at 07:06:35PM +0100, Santiago Ruano Rincón wrote:
> Hi,
>
> El 30/12/15 a las 01:49, Ben Hutchings escribió:
> > Hello dear maintainer(s),
> >
> > the Debian LTS team would like to fix the security issues which are
> > currently open in the Squeeze version of librsvg:
> > https://security-tracker.debian.org/tracker/CVE-2015-7557
> > https://security-tracker.debian.org/tracker/CVE-2015-7558
>
> Regarding Squeeze and AFAICS, while the fix for CVE-2015-7557 is simple,
> the CVE-2015-7558 is not trivial. It has been fixed by many changes in the
> checks of cyclic references, using the new rsvg_acquire_node function
> (i.e. https://git.gnome.org/browse/librsvg/commit/?id=a51919f7e1ca9c535390a746fbf6e28c8402dc61).
>
> I cannot find info about how CVE-2015-7558 is exploitable, but I'd say
> that is no-dsa. What do you think? What's the security team position
> about it?
I have marked one issue as no-dsa for wheezy- and jessie
(CVE-2015-7557). Regarding CVE-2015-7558, not sure here. But if the
fix is too intrusive to backport we can mark it as <no-dsa> (Too
intrusive to backport).
Regards,
Salvatore
Reply to: