From jake at lwn.net Sat May 23 16:55:18 2009 From: jake at lwn.net (Jake Edge) Date: Sat, 23 May 2009 10:55:18 -0600 Subject: trying to figure out fixes for CVE-2005-2974 and CVE-2005-3350 Message-ID: <20090523105518.14b0a410@chukar> Hi Mark and Fedora security folks, Relatively recently, RHEL and Fedora put out updates for giflib problems with CVEs from 2005 ... I am curious how it took so long (nearly 4 years) to handle them ... and then took another month to get them into Fedora 9 (there is no update for F10, not vulnerable?) ... was it just an oversight? or were there other reasons? http://lwn.net/Articles/333760/ has links to the updates and such (and a comment from a reader wondering just what I am asking) ... thanks! jake -- Jake Edge - LWN - jake at lwn.net - http://lwn.net From mjc at redhat.com Mon May 25 19:21:12 2009 From: mjc at redhat.com (Mark J Cox) Date: Mon, 25 May 2009 20:21:12 +0100 (BST) Subject: trying to figure out fixes for CVE-2005-2974 and CVE-2005-3350 In-Reply-To: <20090523105518.14b0a410@chukar> References: <20090523105518.14b0a410@chukar> Message-ID: <0905252019450.12511@mjc.redhat.com> > http://lwn.net/Articles/333760/ has links to the updates and such (and > a comment from a reader wondering just what I am asking) ... Hello Jake; Tomas Hoger has just posted the details of this issue in the bug, see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2005-3350#c7 Thanks, Mark -- Mark J Cox / Director, Red Hat Security Response From jake at lwn.net Mon May 25 19:43:08 2009 From: jake at lwn.net (Jake Edge) Date: Mon, 25 May 2009 13:43:08 -0600 Subject: trying to figure out fixes for CVE-2005-2974 and CVE-2005-3350 In-Reply-To: <0905252019450.12511@mjc.redhat.com> References: <20090523105518.14b0a410@chukar> <0905252019450.12511@mjc.redhat.com> Message-ID: <20090525134308.4bd99d52@chukar> On Mon, 25 May 2009 20:21:12 +0100 (BST) Mark J Cox wrote: > Hello Jake; Tomas Hoger has just posted the details of this issue in > the bug, see > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2005-3350#c7 Thanks, Mark. I don't know much about CVE assignment and the like (but perhaps I should), but it would seem to me that the two CVEs from 2005 apply to libungif rather than giflib and that new CVEs should be created or applied for as it is a different package affected (though I assume they share much of the same code) ... it would also seem plausible that other distributions using giflib fell into the same hole ... or is this purely a Fedora/RHEL issue because they stuck with giflib 4.1.3? jake -- Jake Edge - LWN - jake at lwn.net - http://lwn.net From thoger at redhat.com Tue May 26 10:14:39 2009 From: thoger at redhat.com (Tomas Hoger) Date: Tue, 26 May 2009 12:14:39 +0200 Subject: trying to figure out fixes for CVE-2005-2974 and CVE-2005-3350 In-Reply-To: <20090525134308.4bd99d52@chukar> References: <20090523105518.14b0a410@chukar> <0905252019450.12511@mjc.redhat.com> <20090525134308.4bd99d52@chukar> Message-ID: <20090526121439.0eff7062@redhat.com> Hi Jake! On Mon, 25 May 2009 13:43:08 -0600 Jake Edge wrote: > I don't know much about CVE assignment and the like (but perhaps I > should), but it would seem to me that the two CVEs from 2005 apply to > libungif rather than giflib and that new CVEs should be created or > applied for as it is a different package affected (though I assume > they share much of the same code) ... If the affected code is re-used in multiple projects, the same CVE id is used to refer to the flaw in all projects that contain shared code (for examples, think of flaws in xpdf source code that usually need to be fixed in xpdf, poppler, cups, for older distros also kdegraphics, gpdf, ...; or mozilla flaws fixed in firefox, seamonkey, thunderbird). While it's not quite obvious, libungif and giflib do not really seem to be different projects. I have not tried to track down all its history, but diffing their sources, the only real difference in 4.1.3 was that giflib supported LZW encoding and libungif did not. Excluding Makefile / configure / README differences, this boils down to about 200 lines of unified diff. > it would also seem plausible that other distributions using giflib > fell into the same hole ... or is this purely a Fedora/RHEL issue > because they stuck with giflib 4.1.3? Following upstream releases more closely, this could have been fixed quite some time ago. -- Tomas Hoger / Red Hat Security Response Team