Re: Officially releasing a patch for CVE-2016-1513
[Posted July 27, 2016 by jake]
| From: |
| Don Lewis <truckman-AT-apache.org> |
| To: |
| dev-AT-openoffice.apache.org |
| Subject: |
| Re: Officially releasing a patch for CVE-2016-1513 |
| Date: |
| Sun, 24 Jul 2016 15:13:54 -0700 (PDT) |
| Message-ID: |
| <201607242213.u6OMDsLK075747__33204.2220085443$1469398475$gmane$org@gw.catspoiler.org> |
On 24 Jul, Don Lewis wrote:
> At a minimum, we should publish the hash values of buggy and fixed
> versions of the library. That might not help someone who builds and
> installs from source since the build not be completely repeatable.
> For instance the library might contain a timestamp.
Adding a static string "CVE-2016-1513 Fixed" to the source is another
possibiliy. On *nix, the user/administrator can run:
strings whatever.so | grep CVE
and look for the above to verify that the fixed library has been
installed. Someone would have to figure out how to do the equivalent on
Windows.
