[Buildroot] [PATCH 1/1] package/giflib: security bump to version 5.2.1

Fabrice Fontaine fontaine.fabrice at gmail.com
Mon Aug 19 20:26:47 UTC 2019


Le lun. 19 août 2019 à 21:40, Thomas Petazzoni
<thomas.petazzoni at bootlin.com> a écrit :
>
> On Mon, 19 Aug 2019 19:07:24 +0200
> Peter Korsgaard <peter at korsgaard.com> wrote:
>
> >  > I must say this is quite big of a change for master at this point, and
> >  > for a security bump in general. I'm not sure between applying this, or
> >  > just cherry-picking the two commits that fix the CVEs.
> >
> > Yes, I believe that is also what we agreed when Bernd posted a similar
> > patch last month:
> >
> > https://patchwork.ozlabs.org/patch/1124785/
>
> So in here you also say that the security issue is only in a tool we
> don't install, so we're not affected. In this case, I could just apply
> Fabrice's patch to next, and we do nothing for master ?
Why these CVEs only affects tools? As you can see in both links that I
provided, those CVEs are located in dgif_lib.c which is a part of
libgif and libgif is installed in staging. So I think that some of our
users could be concerned by these CVEs. Moreover, we are also
providing host-giflib which build and install host tools.
>
> Best regards,
>
> Thomas
> --
> Thomas Petazzoni, CTO, Bootlin
> Embedded Linux and Kernel engineering
> https://bootlin.com
Best Regards,

Fabrice


More information about the buildroot mailing list