CVE-2017-6311
Salvatore Bonaccorso
carnil at debian.org
Thu Mar 23 05:55:53 UTC 2017
Hi Jeremy,
On Wed, Mar 22, 2017 at 05:24:42PM -0400, Jeremy Bicha wrote:
> On Wed, Mar 22, 2017 at 10:59 AM, Jeremy Bicha <jbicha at ubuntu.com> wrote:
> > I'm bumping Debian's gdk-pixbuf tracking bugs to serious for now so it
> > won't automatically migrate to testing later unless we lower the
> > severity again. (But this change wasn't intended for stretch anyway.)
>
> I misunderstood the bugs here so I set the 3 existing gdk-pixbuf bugs
> back to their previous status.
Deeply apolgoies this has caused confusion and more work to you, that
was *not* the intention. Intention was to get a new status-overfiew to
CVE-2017-6311 now that the thumbnail code is included in experimental
upload.
> Salvatore, it would have been useful if you had opened a Debian bug
> for this CVE and you could have at least temporarily set it to
> Serious.
Yes, we could have done that. But given the code was not resulting in
any binary packages back at the time of triage, we just marked it as
unimportant, without filling a BTS bug. Realize might have helped now
in this case.
> I've done this for you at https://bugs.debian.org/858491
Thank you! Emilio already updated the tracker.
> Could you check if stretch's gnome-desktop3 has the same
> vulnerability? If so, it doesn't make sense to block the gdk-pixbuf
> thumbnailer.
Have absolutely not time for it today, but might do tomorrow or on the
weekend. But no quarantee.
Salvatore
More information about the pkg-gnome-maintainers
mailing list