GNU bug report logs -
#74060
[PATCH] gnu: Remove allegro-5.0. [security fixes]
Previous Next
Reported by: Nicolas Graves <ngraves <at> ngraves.fr>
Date: Mon, 28 Oct 2024 11:29:01 UTC
Severity: normal
Tags: easy, patch
Done: Nicolas Graves <ngraves <at> ngraves.fr>
Bug is archived. No further changes may be made.
Full log
Message #16 received at 74060 <at> debbugs.gnu.org (full text, mbox):
On 2024-11-11 15:17, Nicolas Graves via Guix-patches via wrote:
> On 2024-11-11 21:37, Maxim Cournoyer wrote:
>
>> Hi!
>>
>> Nicolas Graves <ngraves <at> ngraves.fr> writes:
>>
>>> This package has no dependencies in Guix, is unsupported (see
>>> https://liballeg.org/old.html) and is vulnerable to CVE-2021-36489.
>>>
>>> * gnu/packages/game-development.scm (allegro-5.0): Delete variable.
>>> * gnu/local.mk: Deregister patch.
>>> * gnu/packages/patches/allegro-mesa-18.2.5-and-later.patch: Delete file.
>>
>> We also have an allegro-4.0 variable; is this one not vulnerable?
>> https://nvd.nist.gov/vuln/detail/CVE-2021-36489 suggest it is (up to
>> 5.2.6).
>
> If it is removable easily, we should remove it yes. I might have
> forgotten this one.
>
> They are indeed unsupported versions, I reported that upstream in
> https://github.com/liballeg/allegro5/issues/1587
> which confirmed that these versions won't receive security patches.
Indeed there's still a package depending on allegro-4 (aseprite). I
think that's the reason why I didn't consider updating it back then.
The issue is that the new version of aseprite seems nonfree (restricts
freedom to share the software, and the freedom to collaborate on the
software).
IMO we should remove both. Users can still use time-machine if they
really want to use that version, or submit a new version of aseprite in
nonguix. WDYT?
--
Best regards,
Nicolas Graves
This bug report was last modified 193 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.