IRC Logs for #crux-devel Thursday, 2020-01-09

*** xor29ah has quit IRC00:11
*** xor29ah has joined #crux-devel00:12
*** xor29ah has quit IRC00:21
*** xor29ah has joined #crux-devel00:22
ryuostenur: incidently i've discovered repos that don't have a master branch. their default is named something else.00:26
ryuoso the master branch must just be the default name for the default branch.00:26
*** xor29ah has quit IRC00:28
*** xor29ah has joined #crux-devel00:29
jaegeryeah, master is the default but not required01:35
*** xor29ah has quit IRC10:55
*** xor29ah has joined #crux-devel11:00
RomsterCVE-2019-518811:01
Romster11:01
RomsterA code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.11:01
Romsterjaeger, openexr and ilmbase have CVE's and in need of an update11:03
RomsterCVE-2018-1844311:03
Romster11:03
RomsterOpenEXR 2.3.0 has a memory leak in ThreadPool in IlmBase/IlmThread/IlmThreadPool.cpp, as demonstrated by exrmultiview.11:03
*** xor29ah has quit IRC11:06
*** xor29ah has joined #crux-devel11:20
frinnst" This is probably not exploitable on 64-bit platforms, but may be exploitable on 32-bit binaries depending on how the compiler lays out the stack variables."13:26
jueRomster: FTR, according to the release notes of e2fsprogs the bug you mentioned is only exploitable on 32-bit systems13:30
jueoops, I'm too late ;)13:30
frinnstyou snooze you lose!13:38
Romsterah13:42
Romsteri didn't dig that deep13:42
stenurryuo: yes, sure. But the "head" of CRUX moves from release to release, so they cannot automatize it, can they?14:23
stenurLooks shitty over and over again. imho.14:23
*** pedja has joined #crux-devel15:20
jaegerRomster: openexr 2.3.0 seems to be the latest version, are you saying that one has the mem leak or fixes it?16:39
jaegerI wonder if anything actually needs openexr or ilmbase anymore16:39
pedja2.4.0 is the latest one, fixes 2 cve's too16:40
jaegerah, just not updated on openexr.com, then16:41
jaegerwill have to change ck4up to the github pages16:41
pedjaacademy software foundation github16:42
pedjathe web site lags behind sometimes, as you found out :)16:42
jaegeryeah16:42
*** Workster has quit IRC17:03
*** wqyuaqiygngdqysq has joined #crux-devel17:03
jaegerlooks like ilmbase is replaced by openexr so that's nice17:04
pedjareally? cool, that was a PITA :)17:05
pedjafrom what I remember, ilmbase is a bit fiddly. not as fiddly as openimageio, thou :)17:06
pedjathe joys of many, many blender dependencies17:07
jaegeroh, right, that's what uses these... I'd forgotten17:08
jaegerbuilding openexr with high thread count uses a LOT of RAM/swap, wow17:14
jaegerIt went 6GB into swap on a host with 16GB RAM and -j3217:14
*** darfo has quit IRC18:27
*** darfo has joined #crux-devel18:30
pedjathey are using azure pipelines for CI, I wonder how beefy those servers are :)18:31
pedjathey are building in centos7 container, amongst others. the last release build was ~6min18:32
*** heroux has quit IRC19:11
*** heroux has joined #crux-devel20:03
*** pedja has quit IRC22:22

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!