Hi Graeme, Just check that it is not the same patch for which Boudewijn Rempt of Krita is complaining here: http://www.valdyas.org/fading/index.cgi/2009/04/03 Regards, --Tommaso ________________________________ Da: Graeme Gill <graeme@xxxxxxxxxxxxx> A: argyllcms@xxxxxxxxxxxxx Inviato: Sabato 4 aprile 2009, 1:33:00 Oggetto: [argyllcms] Re: Security problems in Argyll's icclib Roland Mas wrote: > Graeme, I'd like your opinion on this patch. It didn't apply cleanly Well, I find it interesting that whoever originally noticed problems, didn't bother to contact me first, all they seemed interested in was their Linux distro. (I'm coming to the conclusion this is pretty typical behavior, judging from similar responses to patches to xli. Courtesy in regard to upstream seems to be completely lacking, never mind concern about any other users of the library). The general issue addressed is probably fair enough, and was one motivating factor in attempting to develop icclib4, the (still unfinished, unreleased) ICCV4 version of icclib that has been written with security against crafted files particularly in mind. One of the things I realized in writing it, was that although in icclib I had attempted to guard against wrong lengths and malloc failures, I hadn't understood the implications of integer overflow. The icclib4 approach is rather more robust than the patches against the current icclib, never the less, I'll attempt to audit the changes and update the code. (I note that Marti Maria has had an issue with someone contributing "security" fixes to lcms that turned out to be undesirable.) Thanks for bringing it to my attention. Graeme Gill.