From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: bug#33924: OpenJPEG security issues
Date: Wed, 24 Apr 2019 18:41:39 +0200
Message-ID: <87h8angxto.fsf@fastmail.com>
References: <20181230174150.GA21025@jasmine.lan>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([209.51.188.92]:49559)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hJLCk-0004Pd-AE
	for bug-guix@gnu.org; Wed, 24 Apr 2019 12:57:09 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hJKyD-0003c0-BT
	for bug-guix@gnu.org; Wed, 24 Apr 2019 12:42:06 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:42799)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1hJKyA-0003Y7-3X
	for bug-guix@gnu.org; Wed, 24 Apr 2019 12:42:03 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1hJKy9-0000ib-Tm
	for bug-guix@gnu.org; Wed, 24 Apr 2019 12:42:01 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-To: bug-guix@gnu.org
Resent-Message-ID: <handler.33924.D33924.15561241122739.done@debbugs.gnu.org>
In-Reply-To: <20181230174150.GA21025@jasmine.lan>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>, 33924-done@debbugs.gnu.org

--=-=-=
Content-Type: text/plain

Leo Famulari <leo@famulari.name> writes:

> There are several open security bugs in our package of OpenJPEG 2.3.0:
>
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg
>
> `guix refresh -l openjpeg` reports that several thousand packages would
> need to be rebuilt if we changed OpenJPEG, so we will need to fix these
> bugs by cherry-picking the upstream bugfix patches in a grafted
> replacement package.
>
> If anyone is interested in doing the work and needs advice, please ask
> for help :)
>
> These are the CVE identifiers:
>
> CVE-2017-17479
> CVE-2018-5727
> CVE-2018-5785
> CVE-2018-6616
> CVE-2018-7648
> CVE-2018-14423
> CVE-2018-16375
> CVE-2018-16376
> CVE-2018-17480
> CVE-2018-18088

I believe commit 0e2b0b05accdea7c3f016f8483d0ec04021114d3 fixed these.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlzAkcMACgkQoqBt8qM6
VPoXHgf+LpcKxDsqQMdO+1yqYblKOnnMkoGqtz1/WoP5HlZZV1Mp0Yy+/moncejn
uRtzhkNP4+5dKptjuP5090Ug8NOURcf/c8HrK+ytMxG0K7EqMauVELnuhbOvJLst
vKzxxee/Tzx86yh/IuHIg3bSkmshxNuHgQeg1heHRbNd1BgwvXsv6q6YLA+cW0v+
rO0FNE9fMJ8hyjvytLT1rujMUXnI9uGVWIR2BMfnxy0wcnxOOyUgTvLhtu8sTrdt
YKA53dcotiIM55AKw2iIcAswOyfpIomaNNDK0It5I1277g4hjrKnwh4CUSNHPyhX
De1PZ/h6VSdNRsMppqnqeBz6IktW+Q==
=UZTJ
-----END PGP SIGNATURE-----
--=-=-=--