unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCH 0/1] Fix many jasper CVEs
@ 2016-01-30 21:20 Leo Famulari
  2016-01-30 21:20 ` [PATCH 1/1] gnu: jasper: Add fixes for several security flaws Leo Famulari
  2016-01-30 23:00 ` [PATCH 0/1] Fix many jasper CVEs Leo Famulari
  0 siblings, 2 replies; 3+ messages in thread
From: Leo Famulari @ 2016-01-30 21:20 UTC (permalink / raw)
  To: guix-devel

I set out to apply the fix for CVE-2016-1867 to jasper and found that
our package had many unpatched CVEs dating back to 2008 [0].

Most of these patches are copied from Fedora [1] but the patch for
CVE-2016-1867 is copied from SUSE [2].

I copied one non-CVE patch from Fedora because the patch for
CVE-2008-3520 builds on it.

There are other non-CVE patches in the Fedora tree [1]. Do you think we
should apply any of those as well?

[0]
https://security-tracker.debian.org/tracker/source-package/jasper
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8157
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8158 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1867

[1]
http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/

[2]
https://bugzilla.suse.com/show_bug.cgi?id=961886

Leo Famulari (1):
  gnu: jasper: Add fixes for several security flaws.

 gnu-system.am                                      |   9 +
 gnu/packages/image.scm                             |  13 +-
 gnu/packages/patches/jasper-CVE-2008-3520.patch    | 931 +++++++++++++++++++++
 .../jasper-CVE-2011-4516-and-CVE-2011-4517.patch   |  31 +
 gnu/packages/patches/jasper-CVE-2014-8137.patch    |  64 ++
 gnu/packages/patches/jasper-CVE-2014-8138.patch    |  21 +
 gnu/packages/patches/jasper-CVE-2014-8157.patch    |  19 +
 gnu/packages/patches/jasper-CVE-2014-8158.patch    | 336 ++++++++
 gnu/packages/patches/jasper-CVE-2014-9029.patch    |  36 +
 gnu/packages/patches/jasper-CVE-2016-1867.patch    |  18 +
 .../patches/jasper-stepsizes-overflow.patch        |  20 +
 11 files changed, 1497 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/jasper-CVE-2008-3520.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8137.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8138.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8157.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-8158.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2014-9029.patch
 create mode 100644 gnu/packages/patches/jasper-CVE-2016-1867.patch
 create mode 100644 gnu/packages/patches/jasper-stepsizes-overflow.patch

-- 
2.6.3

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-01-30 23:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-01-30 21:20 [PATCH 0/1] Fix many jasper CVEs Leo Famulari
2016-01-30 21:20 ` [PATCH 1/1] gnu: jasper: Add fixes for several security flaws Leo Famulari
2016-01-30 23:00 ` [PATCH 0/1] Fix many jasper CVEs Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).