unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052)
@ 2016-01-29  6:01 Leo Famulari
  2016-01-29  6:01 ` [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052] Leo Famulari
  2016-01-29  7:41 ` [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Efraim Flashner
  0 siblings, 2 replies; 5+ messages in thread
From: Leo Famulari @ 2016-01-29  6:01 UTC (permalink / raw)
  To: guix-devel

This patch updates harfbuzz to 1.0.6, fixing CVE-2016-2052 [0].

However, 587 packages depend on harfbuzz [1]. Where should the patch be
applied?

[0]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2052

[1]
Building the following 199 packages would ensure 388 dependent packages 
are rebuilt: avidemux-2.6.10 python-pyqt-5.5 pumpa-0.9.1 
owncloud-client-2.1.0 powertabeditor-2.0.0-alpha8 lxqt-session-0.9.0 
lxqt-common-0.9.1 tiled-0.13.1 bitcoin-core-0.11.0 fritzing-0.9.2b 
i3-wm-4.10.3 xnee-3.19 racket-6.2.1 sawfish-1.11 lxtask-0.1.6 
lxrandr-0.3.0 lxappearance-0.6.1 pcmanfm-1.2.3 
ruby-atoulme-antwrap-0.7.5 htsjdk-1.129 sra-tools-2.5.4 icedtea-1.13.9 
arandr-0.1.8 wicd-1.7.3 gourmet-0.17.4 gajim-0.16.5 pspp-0.8.5 
gpscorrelate-1.6.1.365f6e1b3f pinentry-0.9.6 xournal-0.4.8 
lxterminal-0.2.0 gkrellm-2.3.5 geeqie-1.1 geda-gaf-1.8.2 
dvdisaster-0.72.6 hydrogen-0.9.5.1 qsynth-0.4.0 calf-0.0.60 ir-1.3.2 
gnubik-2.4.2 pcb-20140316 jalv-1.4.6 azr3-1.2.3 patchage-1.0.0 
ardour-4.4 gst-plugins-ugly-1.6.1 guix-0.9.0.f888c0b scribus-1.5.0 
skribilo-0.9.3 a2ps-4.14 emacs-w3m-1.4.538+0.20141022 calibre-2.48.0 
orpheus-1.6 ripperx-2.8.0 emms-4.0 abcde-2.7 cereal-1.1.2 soprano-2.9.4 
vmpk-0.6.2a ncmpc-0.24 mpd-mpc-0.27 mpdscribble-0.22 ncmpcpp-0.6.7 
pidgin-otr-4.0.1 libdbusmenu-qt-0.9.2 libstdc++-doc-5.3.0 
libstdc++-doc-4.9.3 manaplus-1.6.1.16 love-0.10.0 wayland-1.9.0 
fish-2.2.0 openbox-3.5.2 gmtp-1.3.9 tuxguitar-1.2 
conkeror-1.0pre1.20150730 lablgtk-2.18.3 gnubg-1.02 inklingreader-0.8 
gxmessage-3.4.3 zathura-cb-0.1.4 zathura-ps-0.2.2 
zathura-pdf-poppler-0.2.5 zathura-djvu-0.2.4 pavucontrol-3.0 
glade-3.18.3 gnome-keyring-3.18.3 guitarix-0.34.0 devhelp-3.18.1 
hexchat-2.10.1 claws-mail-3.13.2 file-roller-3.16.4 
ibus-libpinyin-1.7.2 yelp-3.16.1 vte-0.36.5 d-feet-0.3.10 xfce-4.12.0 
gsegrafix-1.0.6 libchamplain-0.12.12 tilda-1.3.1 gnome-terminal-3.18.2 
epiphany-3.18.2 evince-3.18.1 gedit-3.18.1 shotwell-0.22.0 
rhythmbox-3.2.1 gnome-session-3.18.1.2 seahorse-3.18.0 
nestopia-ue-1.46.2 gamine-1.4 sfxr-1.2.1 fcitx-4.2.8.6 
transmission-2.84 guile-present-0.3.0 eog-3.18.1 gnome-shell-3.18.3 
gnome-themes-standard-3.18.0 totem-3.18.1 gnome-mines-3.18.2 
key-mon-1.17 gnucash-2.6.9 aisleriot-3.18.2 gnumeric-1.12.24 
gnome-klotski-3.18.2 xboard-4.8.0 fvwm-2.6.5 
guile-emacs-20150512.41120e0 emacs-no-x-toolkit-24.5 hop-2.4.0 
patches-0.0.26d7dbc emacs-debbugs-0.7 emacs-butler-0.2.4 
magit-svn-2.1.1 emacs-typo-1.1 emacs-flycheck-0.23 
emacs-ob-ipython-20150704.8807064693 emacs-auctex-11.88.6 
emacs-undo-tree-0.6.4 abiword-2.8.6 gimp-2.8.14 wesnoth-1.12.4 
mplayer-1.2 obs-0.12.4 cmus-2.7.1 mpd-0.19.10 strigi-0.7.8 
gst-libav-1.6.1 guile-gnunet-0.0.383eac2 retroarch-1.2.2 audacity-2.1.0 
kodi-15.2 gvfs-1.26.2 python-numexpr-2.4.4 python-statsmodels-0.6.1 
python-scikit-learn-0.16.1 python-seaborn-0.5.1 python-h5py-2.4.0 
python-scikit-image-0.11.3 idr-2.0.0 python-biopython-1.66 
python2-ipython-3.2.1 python2-numexpr-2.4.4 libreoffice-5.0.3.2 
rseqc-2.6.1 macs-2.1.0.20140616 seqmagick-0.6.1 crossmap-0.2.1 
python-ipython-3.2.1 python2-statsmodels-0.6.1 
python2-scikit-image-0.11.3 python2-seaborn-0.5.1 couger-1.8.2 
python2-warpedlmm-0.21 deeptools-1.5.11 grit-2.0.2 
pbtranscript-tofu-2.2.3.8f5467fe6 clipper-0.3.0 miso-0.5.3 
asymptote-2.35 proof-general-4.2 unison-2.48.3 fastcap-2.0-18Sep92 
simple-scan-3.17.4 hydra-20150407.4c0e3e4 enblend-enfuse-4.1.3 
wxmaxima-15.04.0 flann-1.8.4 shogun-4.0.0 xsensors-0.70 mpv-0.15.0 
gerbv-2.6.1 frescobaldi-2.18.1 solfege-3.22.2 dunst-1.1.0 
synfigstudio-1.0.2 terminology-0.9.1 emotion-generic-players-1.16.0 

Leo Famulari (1):
  gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].

 gnu/packages/gtk.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-- 
2.6.3

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].
  2016-01-29  6:01 [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Leo Famulari
@ 2016-01-29  6:01 ` Leo Famulari
  2016-01-29  8:02   ` Mark H Weaver
  2016-01-29  7:41 ` [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Efraim Flashner
  1 sibling, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2016-01-29  6:01 UTC (permalink / raw)
  To: guix-devel

* gnu/packages/gtk.scm (harfbuzz): Update to 1.0.6.
---
 gnu/packages/gtk.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 916873b..3f92d0a 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -145,7 +145,7 @@ affine transformation (scale, rotation, shear, etc.).")
 (define-public harfbuzz
   (package
    (name "harfbuzz")
-   (version "1.0.5")
+   (version "1.0.6")
    (source (origin
              (method url-fetch)
              (uri (string-append "http://www.freedesktop.org/software/"
@@ -153,7 +153,7 @@ affine transformation (scale, rotation, shear, etc.).")
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0h2l362qzkck5dnnj7zlz593hf1ni3k25dfaii9mbjwflp3d56ad"))))
+               "09ivk5m4y09ar4zi9r6db7gp234cy05h0ach7w22g9kqvkxsf5pn"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "bin")) ; 160K, only hb-view depend on cairo
-- 
2.6.3

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052)
  2016-01-29  6:01 [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Leo Famulari
  2016-01-29  6:01 ` [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052] Leo Famulari
@ 2016-01-29  7:41 ` Efraim Flashner
  2016-01-29  8:04   ` Leo Famulari
  1 sibling, 1 reply; 5+ messages in thread
From: Efraim Flashner @ 2016-01-29  7:41 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 897 bytes --]

On Fri, 29 Jan 2016 01:01:19 -0500
Leo Famulari <leo@famulari.name> wrote:

> This patch updates harfbuzz to 1.0.6, fixing CVE-2016-2052 [0].
> 
> However, 587 packages depend on harfbuzz [1]. Where should the patch be
> applied?
> 
> [0]
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2052
> 
> [1]
> Building the following 199 packages would ensure 388 dependent packages 
> are rebuilt: avidemux-2.6.10 python-pyqt-5.5 pumpa-0.9.1 
[snip]
> Leo Famulari (1):
>   gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].
> 
>  gnu/packages/gtk.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 

how about the security-updates branch?

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].
  2016-01-29  6:01 ` [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052] Leo Famulari
@ 2016-01-29  8:02   ` Mark H Weaver
  0 siblings, 0 replies; 5+ messages in thread
From: Mark H Weaver @ 2016-01-29  8:02 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Leo Famulari <leo@famulari.name> writes:
> * gnu/packages/gtk.scm (harfbuzz): Update to 1.0.6.

I pushed this to the 'security-updates' branch.

     Thanks!
       Mark

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052)
  2016-01-29  7:41 ` [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Efraim Flashner
@ 2016-01-29  8:04   ` Leo Famulari
  0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2016-01-29  8:04 UTC (permalink / raw)
  To: Efraim Flashner; +Cc: guix-devel

On Fri, Jan 29, 2016 at 09:41:45AM +0200, Efraim Flashner wrote:
> On Fri, 29 Jan 2016 01:01:19 -0500
> Leo Famulari <leo@famulari.name> wrote:
> 
> > This patch updates harfbuzz to 1.0.6, fixing CVE-2016-2052 [0].
> > 
> > However, 587 packages depend on harfbuzz [1]. Where should the patch be
> > applied?
> > 
> > [0]
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2052
> > 
> > [1]
> > Building the following 199 packages would ensure 388 dependent packages 
> > are rebuilt: avidemux-2.6.10 python-pyqt-5.5 pumpa-0.9.1 
> [snip]
> > Leo Famulari (1):
> >   gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].
> > 
> >  gnu/packages/gtk.scm | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> 
> how about the security-updates branch?

I'm not sure of the status of the branch with respect to Hydra. That is,
is it currently building the branch? If so, is it bad to push to the
branch? I wouldn't mind a little education on this topic!

Other can feel free to push this if appropriate.

> 
> -- 
> Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
> GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
> Confidentiality cannot be guaranteed on emails sent or received unencrypted

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-01-29  8:04 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-29  6:01 [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Leo Famulari
2016-01-29  6:01 ` [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052] Leo Famulari
2016-01-29  8:02   ` Mark H Weaver
2016-01-29  7:41 ` [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052) Efraim Flashner
2016-01-29  8:04   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).