unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCH 0/1] Gst-plugins-good security update
@ 2016-11-25  7:11 Leo Famulari
  2016-11-25  7:11 ` [PATCH 1/1] gnu: gst-plugins-good: Fix CVE-2016-{9634,9635,9636} Leo Famulari
  2016-11-26  8:51 ` [PATCH 0/1] Gst-plugins-good security update Marius Bakke
  0 siblings, 2 replies; 6+ messages in thread
From: Leo Famulari @ 2016-11-25  7:11 UTC (permalink / raw)
  To: guix-devel

This patch should fix the bugs named here:

http://seclists.org/oss-sec/2016/q4/517

I copied Debian's approach, which is to take all the recent patches for
the vulnerable component (the FLIC decoder).

My understanding is that the first two patches fix the CVEs, the 3rd
fixes an unrelated bug, and the 4th is a total rewrite of the component,
because "code is terrible, it should be entirely re-written" [0].

The CVE bug fixes are not split into discrete patches, so it doesn't
work to make patches for each CVE ID, like we normally do.

Is this approach (concatenating the patches) okay?

[0]
https://bugzilla.gnome.org/show_bug.cgi?id=774859#c1

Leo Famulari (1):
  gnu: gst-plugins-good: Fix CVE-2016-{9634,9635,9636}.

 gnu/local.mk                                       |    1 +
 gnu/packages/gstreamer.scm                         |    1 +
 .../gst-plugins-good-flxdec-heap-overflow.patch    | 1433 ++++++++++++++++++++
 3 files changed, 1435 insertions(+)
 create mode 100644 gnu/packages/patches/gst-plugins-good-flxdec-heap-overflow.patch

-- 
2.10.2

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2016-11-26 19:39 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-25  7:11 [PATCH 0/1] Gst-plugins-good security update Leo Famulari
2016-11-25  7:11 ` [PATCH 1/1] gnu: gst-plugins-good: Fix CVE-2016-{9634,9635,9636} Leo Famulari
2016-11-26  8:51 ` [PATCH 0/1] Gst-plugins-good security update Marius Bakke
2016-11-26 17:54   ` Leo Famulari
2016-11-26 17:58     ` Marius Bakke
2016-11-26 19:38   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).