Re: [v2 0/1] Jasper security fixes

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: Leo Famulari <leo@famulari.name>
To: Andreas Enge <andreas@enge.fr>
Cc: guix-devel@gnu.org
Subject: Re: [v2 0/1] Jasper security fixes
Date: Thu, 4 Feb 2016 15:16:26 -0500	[thread overview]
Message-ID: <20160204201626.GA7304@jasmine> (raw)
In-Reply-To: <20160204104538.GA23977@debian.eduroam.u-bordeaux.fr>

On Thu, Feb 04, 2016 at 11:45:38AM +0100, Andreas Enge wrote:
> It is a bit frightening that such a package with lots of CVE fixes apparently
> is dead upstream (since the patches from 2008 have not been incorporated into
> a new release). On the other hand, someone must have written the patches;
> is there no new upstream who has taken over? If not, is the software still
> useful and unique enough to keep it around?

I agree. The upstream developers claims to be responsive [0] but its
hard to reconcile that with 9 years of unpatched CVEs. Especially when
many of these patches address potential untrusted remote code execution.

It seems that sometimes a distro adopts anothers distro's patch, or
sometimes writes their own. Every distro is maintaining their own patch
quilt. Not good!

I haven't found a new upstream for jasper.

Thankfully, only Kodi depends on jasper in our tree. I searched my store
for other software that might have bundled it and found nothing, but I
don't have many programs that would handle JPEGs installed. Perhaps it's
possible to use some other JPEG implementation in Kodi and drop jasper.

Sadly, there are many packages in our tree, with active upstreams, that
are probably just as vulnerable.

> 
> Apart from these more fundamental questions, it looks good to push.

Done.

[0]
http://www.ece.uvic.ca/~frodo/jasper/#faq

next prev parent reply	other threads:[~2016-02-04 20:16 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-04  8:12 [v2 0/1] Jasper security fixes Leo Famulari
2016-02-04  8:12 ` [v2 1/1] gnu: jasper: Add fixes for several security flaws Leo Famulari
2016-02-04 10:45 ` [v2 0/1] Jasper security fixes Andreas Enge
2016-02-04 20:16   ` Leo Famulari [this message]
2016-02-04 21:20     ` Ludovic Courtès

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160204201626.GA7304@jasmine \
    --to=leo@famulari.name \
    --cc=andreas@enge.fr \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).