Re: Security bugs in unmaintained/maintenerless librsvg

[Olav Vitters <olav vitters nl>]

On Mon, Feb 02, 2015 at 11:31:38AM +0100, Dimstar / Dominique Leuenberger wrote:
> On Sun, 2015-02-01 at 23:45 +0100, Olav Vitters wrote:
> > Hello distributors,
> >
> > We've received various security bugs about librsvg. As that module is
> > unmaintained, these bugs have not been fixed. These bugs and various
> > others will be made public really soon. Possibly as of next week.
> >
> > Maintainers for librsvg welcome. In any case, take note.
> >
> > Feel free to discuss here or on desktop-devel-list gnome org (make sure
> > you're subscribed).
[..]
> being part of a distribution team: do you have any information you can
> share on this topic or do we have to wait it to become fully public?
>
> Maybe we can even throw in some man power; worthy to be explored.

We received various details on bugs already. The normal process is that
we forward this to the maintainer and it is fixed. There's nothing in
place when there's no maintainer. As release team, we thought it was
maybe better to have a few security people on security gnome org 
However, we never actioned it and now have these bugs.

So one way to proceed would maybe be to some known opensuse security
person to security gnome org, then setup Bugzilla permissions as well.

I'm guessing we should also add Red Hat / Fedora. We had people showing
interest quite a while ago.

Note: security gnome org was mainly used (until libsrvg) to either rant
or ask random support questions. Any security person can ignore those,
it'll be handled by release team. People sometimes email maintainers
directly, sometimes we're a post office.

Anyone who's interested probably should be willing to improve anything
that's lacking.

-- 
Regards,
Olav