FS#52229 - Make openjpeg2, libtiff, libwmf optional dependencies
Attached to Project:
Arch Linux
Opened by Lukas B (teateawhy) - Wednesday, 21 December 2016, 17:32 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 21 December 2016, 18:07 GMT
Opened by Lukas B (teateawhy) - Wednesday, 21 December 2016, 17:32 GMT
Last edited by Antonio Rojas (arojas) - Wednesday, 21 December 2016, 18:07 GMT
|
Details
These are deprecated file formats which are seldomly used in
practice and have long standing / multiple security
issues.
Package libwmf is affected by ["CVE-2016-9011", "CVE-2015-4696", "CVE-2015-4695", "CVE-2015-4588", "CVE-2015-0848", "CVE-2009-3546", "CVE-2009-1364", "CVE-2007-3477", "CVE-2007-3473", "CVE-2007-3472", "CVE-2007-2756", "CVE-2007-0455", "CVE-2006-3376"]. VULNERABLE! Package libtiff is affected by ["CVE-2015-7554"]. VULNERABLE! Package openjpeg2 is affected by ["CVE-2016-9118", "CVE-2016-9117", "CVE-2016-9116", "CVE-2016-9115", "CVE-2016-9114", "CVE-2016-9113"]. VULNERABLE! |
This task depends upon
Closed by Antonio Rojas (arojas)
Wednesday, 21 December 2016, 18:07 GMT
Reason for closing: Not a bug
Wednesday, 21 December 2016, 18:07 GMT
Reason for closing: Not a bug
Just a few examples:
gtk3 -> gdk-pixbuf2 -> libtiff
qt5-base -> libcups -> libtiff
weston -> poppler-glib -> poppler -> "openjpeg2" -> "libtiff"
EDIT:
The provided fix is only for libwmf, not libtiff nor openjpeg2, thus a partial solution.
If a feature creates a long standing security issue, and is mostly obsolete, why not remove it?
Are you are unable to do so?
I have already deleted the shared libraries installed by these packages which seems to achieve exactly that.
Applications that i use are not affected by this, which can of course not be generalized.
http://pkgs.fedoraproject.org/cgit/rpms/libwmf.git/tree/
https://packages.debian.org/source/sid/libwmf