On Fri, Sep 09, 2016 at 02:04:39AM -0400, Leo Famulari wrote:
> Two bugs disclosed in OpenJPEG, CVE-2016-5157 and CVE-2016-7163. Both
> can be used to execute arbitrary code, apparently.

Ah! my favorite kind of code!

Joking aside, why not patch both CVEs at the same time?

> 
> CVE-2016-7163:
> http://seclists.org/oss-sec/2016/q3/442
> 
> CVE-2016-5157:
> http://seclists.org/oss-sec/2016/q3/441
> 
> Leo Famulari (2):
>   gnu: openjpeg-2.*: Fix CVE-2016-7163.
>   gnu: openjpeg-2.*: Fix CVE-2016-5157.
> 
>  gnu/local.mk                                      |  2 +
>  gnu/packages/image.scm                            |  8 +-
>  gnu/packages/patches/openjpeg-CVE-2016-5157.patch | 98 +++++++++++++++++++++++
>  gnu/packages/patches/openjpeg-CVE-2016-7163.patch | 71 ++++++++++++++++
>  4 files changed, 177 insertions(+), 2 deletions(-)
>  create mode 100644 gnu/packages/patches/openjpeg-CVE-2016-5157.patch
>  create mode 100644 gnu/packages/patches/openjpeg-CVE-2016-7163.patch
> 
> -- 
> 2.10.0
> 
> 

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted