Leo Famulari <leo@famulari.name> writes:

> There are several open security bugs in our package of OpenJPEG 2.3.0:
>
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg
>
> `guix refresh -l openjpeg` reports that several thousand packages would
> need to be rebuilt if we changed OpenJPEG, so we will need to fix these
> bugs by cherry-picking the upstream bugfix patches in a grafted
> replacement package.
>
> If anyone is interested in doing the work and needs advice, please ask
> for help :)
>
> These are the CVE identifiers:
>
> CVE-2017-17479
> CVE-2018-5727
> CVE-2018-5785
> CVE-2018-6616
> CVE-2018-7648
> CVE-2018-14423
> CVE-2018-16375
> CVE-2018-16376
> CVE-2018-17480
> CVE-2018-18088

I believe commit 0e2b0b05accdea7c3f016f8483d0ec04021114d3 fixed these.