Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20160706090113.GA3916@eldamar.local>
Date: Wed, 6 Jul 2016 11:01:13 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: Gustavo Grieco <gustavo.grieco@...il.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Browsing and attaching images considered harmful
 in Linux

Hi

On Mon, Jul 04, 2016 at 09:13:05PM +0200, Gustavo Grieco wrote:
> Fortunately, this issue is already solved in the last revision of
> librsvg2 (AFAIK, this issue has no CVE, so please MITRE assign one if
> suitable). Nevertheless, I reported such vulnerability to Mozilla more
> than a month ago hoping that they will disable the svg support in the
> open/attach widget. After some discussion, it was marked as WONTFIX.
> While i understand why, i still feel it can be productive to discuss
> this here.

If I correctly bisected with the reproducer, then the fix should be
around
https://git.gnome.org/browse/librsvg/commit/?id=0035e95118a60c0cd3949c2300472d805e16a022
(2.40.7).

If anyone can confirm that would be great.

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.