Security advisory: gtk2-x11

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Security advisory: gtk2-x11

Yaakov (Cygwin/X)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerrit,

The GdkPixbuf library, that is also included in GTK+ 2, contains
vulnerabilities that could lead to a Denial of Service or the execution
of arbitrary code.

Solution: a patch for gtk+-2.x is required (URL below).

(BTW, Gerrit, what are your plans for GTK/GNOME?  I'm willing to take
stuff over if you've lost interest.)

http://www.gentoo.org/security/en/glsa/glsa-200511-14.xml
http://www.idefense.com/application/poi/display?id=339&type=vulnerabilities
http://www.gentoo.org/cgi-bin/viewcvs.cgi/x11-libs/gtk+/files/gtk+-2-xpm_loader.patch?hideattic=1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDe5qZpiWmPGlmQSMRAgRdAJ9Fh1oRf52xEELoi0gfshs9dKXBIwCfaGGU
Ce7YghJ4hRm8rCB07c3SdgI=
=KMcX
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Security advisory: gtk2-x11

Gerrit P. Haase
Yaakov S (Cygwin Ports) wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Gerrit,
>
> The GdkPixbuf library, that is also included in GTK+ 2, contains
> vulnerabilities that could lead to a Denial of Service or the execution
> of arbitrary code.
>
> Solution: a patch for gtk+-2.x is required (URL below).

Will integrate this asap.


> (BTW, Gerrit, what are your plans for GTK/GNOME?  I'm willing to take
> stuff over if you've lost interest.)

Ok.  Just prepare what is needed next and notify seperately when you're
uploading.  You are able to upload yourself?



Gerrit
--
=^..^=
Reply | Threaded
Open this post in threaded view
|

Re: Security advisory: gtk2-x11

Yaakov (Cygwin/X)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerrit P. Haase wrote:
> Will integrate this asap.

Thanks.

> Ok.  Just prepare what is needed next and notify seperately when you're
> uploading.

I have GConf2, libbonobo2, gnome-vfs2, libgnome2, libbonoboui2, and
libgnomeui2 all up to 2.10.1, and I have a renamed libart_lgpl2 in order
to make space for gnome-libs-1.4.2.

> You are able to upload yourself?

No.


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDfiEnpiWmPGlmQSMRAs3AAKDJ80/UlXg0lfLTWytIt9+ZkAElcgCfSKev
/tArleA5QJFkSfVc2KRqh2o=
=Iv0X
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Security advisory: gtk2-x11

Yaakov (Cygwin/X)
In reply to this post by Gerrit P. Haase
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gerrit P. Haase wrote:
> Ok.  Just prepare what is needed next and notify seperately when you're
> uploading.

Forgot to mention, I also have (glitz and) cairo, which is required for
pango-1.10 and gtk+-2.8, if you think you're ready to make that move.


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDfiIhpiWmPGlmQSMRAkrXAJ0X1lkfSDX6E+lCY7O4+SCt5cYDxQCfUqzl
jUwms2E647IHgPUCl5VofWA=
=I6PY
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Security advisory: gtk2-x11

Yaakov (Cygwin/X)
In reply to this post by Gerrit P. Haase
Gerrit P. Haase wrote:
> Will integrate this asap.

Thanks.

> Ok.  Just prepare what is needed next and notify seperately when you're
> uploading.

I have GConf2, libbonobo2, gnome-vfs2, libgnome2, libbonoboui2, and
libgnomeui2 all up to 2.10.1, and I have a renamed libart_lgpl2 in order
to make space for gnome-libs-1.4.2.

> You are able to upload yourself?

No.


Yaakov
Reply | Threaded
Open this post in threaded view
|

Re: Security advisory: gtk2-x11

Gerrit P. Haase
In reply to this post by Yaakov (Cygwin/X)
Yaakov S (Cygwin Ports) wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Gerrit P. Haase wrote:
>
>>Ok.  Just prepare what is needed next and notify seperately when you're
>>uploading.
>
>
> Forgot to mention, I also have (glitz and) cairo, which is required for
> pango-1.10 and gtk+-2.8, if you think you're ready to make that move.

Hmm, this is the first time I hear about glitz and cairo.  Is it used
instead of X11?


Gerrit
--
=^..^=
Reply | Threaded
Open this post in threaded view
|

Re: Security advisory: gtk2-x11

Gerrit P. Haase
In reply to this post by Yaakov (Cygwin/X)
Yaakov S (Cygwin Ports) wrote:

> Gerrit P. Haase wrote:
>
>>Will integrate this asap.
>
>
> Thanks.
>
>
>>Ok.  Just prepare what is needed next and notify seperately when you're
>>uploading.
>
>
> I have GConf2, libbonobo2, gnome-vfs2, libgnome2, libbonoboui2, and
> libgnomeui2 all up to 2.10.1, and I have a renamed libart_lgpl2 in order
> to make space for gnome-libs-1.4.2.
>
>
>>You are able to upload yourself?
>
>
> No.

Ok.  Send me your links.


Gerrit
--
=^..^=
Reply | Threaded
Open this post in threaded view
|

Re: Security advisory: gtk2-x11

Yaakov (Cygwin/X)
In reply to this post by Gerrit P. Haase
Gerrit P. Haase wrote:
> Hmm, this is the first time I hear about glitz and cairo.  Is it used
> instead of X11?

Not exactly.  cairo[1] is a cross-platform 2D graphics rendering engine
with support for multiple backends.  glitz is a wrapper for the various
types of OpenGL APIs.

[1] http://cairographics.org/introduction

cairo is now used by GNOME, and particularly pango and gtk+, instead of
libart_lgpl2 and libgnomecanvas2, which are being deprecated (but need
to stay for compatibility), and to a certain degree, gdk-pixbuf.

Anyway, are you ready to consider bumping glib/gtk+ to 2.8?  Let me
know, and I'll ITP glitz and cairo.


Yaakov