[Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1
Peter Korsgaard
peter at korsgaard.com
Mon Aug 19 20:44:46 UTC 2019
>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni at bootlin.com> writes:
> On Mon, 19 Aug 2019 19:07:24 +0200
> Peter Korsgaard <peter at korsgaard.com> wrote:
>> > I must say this is quite big of a change for master at this point, and
>> > for a security bump in general. I'm not sure between applying this, or
>> > just cherry-picking the two commits that fix the CVEs.
>>
>> Yes, I believe that is also what we agreed when Bernd posted a similar
>> patch last month:
>>
>> https://patchwork.ozlabs.org/patch/1124785/
> So in here you also say that the security issue is only in a tool we
> don't install, so we're not affected. In this case, I could just apply
> Fabrice's patch to next, and we do nothing for master ?
Sorry, looking back at the issue I think I mixed things up - It doesn't
help that the issues referenced in the commit messages have been deleted
(or hidden?) from their bugtracker. Bug #114 affected gifclrmp, bug #113
does indeed affect the library itself (CVE-2018-11490) and #119
(CVE-2019-15133) as well.
So a small patch adding the fixes to our current version would be the
nicest. Notice that the source files have been moved (and
deleted/restored) in upstream git, so the paths need a bit of tweaking.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list