[Replicant] Proprietary blob found in all Replicant 6.0 builds

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Thu Dec 3 16:11:34 UTC 2020


On Tue, 1 Dec 2020 08:12:40 +0200
belgin <belginstirbu at hotmail.com> wrote:

> Hello!
> 
> > The issue with packages/apps/Messaging is that we have 3 CVE if we
> > revert to 0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74:
> > > $ git log \
> > >   0dabdec1f6f6f90b6a0cd45646bdbf5fa79cde74..replicant-6.0-0004-rc3
> > > | \ grep -i CVE
> > >     CVE-2017-0780
> > >     CVE-2017-0494
> > >     CVE-2017-0476
> 
> These CVEs can be patched as follows:
> 
> First, cd into packages/apps/Messaging
> 
> For CVE-2017-0780
> 	git format-patch -1 20f6e4dc2fdadcf88cb8b48276169da47a913f9f
> 	git apply 0001-37742976-Catch-bad-gifs.patch
> 
> For CVE-2017-0494
> 	git format-patch -1 78cb8b00ee024cfdf383912695e30d9c2cb64f7d
> 	git apply \
> 	0001-32764144-Security-Vulnerability-heap-buffer-overflow.patch
> 
> For CVE-2017-0476
> 	git format-patch -1 62371f2e4bfe3d54f2b79fe55bbb423642a235d2
> 	git apply \
> 	0001-33388925-Mismatched-new-vs-delete-in-framesequence-l.patch
Thanks, my mistake, I didn't think that with all theses changes on top
they could apply cleanly. 

But in fact they did apply cleanly.

I've now pushed the cherry-picked patches pushed them, and pushed the
manifest as well.

So normally everything should be merged now.

Though we can still modify things if needed since we force pushed to
the replicant-6.0 branches anyway.

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20201203/496a3733/attachment.asc>


More information about the Replicant mailing list