From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: cairo CVE-2016-9082 Date: Mon, 28 Nov 2016 22:06:41 -0500 Message-ID: <20161129030641.GA22954@jasmine> References: <20161128185211.GC2509@macbook42.flashner.co.il> <20161128193053.GD2509@macbook42.flashner.co.il> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="n8g4imXOkfNTN/H1" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41400) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cBYkp-0006mh-B2 for guix-devel@gnu.org; Mon, 28 Nov 2016 22:06:48 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cBYkm-0005ye-1V for guix-devel@gnu.org; Mon, 28 Nov 2016 22:06:47 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:39253) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cBYkl-0005yK-RC for guix-devel@gnu.org; Mon, 28 Nov 2016 22:06:43 -0500 Content-Disposition: inline In-Reply-To: <20161128193053.GD2509@macbook42.flashner.co.il> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Efraim Flashner Cc: guix-devel@gnu.org --n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Nov 28, 2016 at 09:30:53PM +0200, Efraim Flashner wrote: > The previous patch somehow stopped working for me, and I was getting > complaints about unbound variable cairo/fixed, so I rewrote the patch to > have every cairo use the patch separately. Thanks for taking on this tricky bug fix! > diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch b/gnu/packages/patches/cairo-CVE-2016-9082.patch Please add a link to the patch source in the patch file. I know it can be found in the linked bug report, but it does help readers to be explicit, in my opinion. Otherwise LGTM. The patch is not in the cairo repo yet, AFAICT: https://cgit.freedesktop.org/cairo/ But, Debian did use it: https://anonscm.debian.org/cgit/collab-maint/cairo.git/tree/debian/patches/07_CVE-2016-9082.patch Can you follow the upstream resolution of the bug in case they decide to use a different patch? --n8g4imXOkfNTN/H1 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlg88L4ACgkQJkb6MLrK fwi6PxAAuFL84d7XPdbCR/QgvUg8kzDGVdfNLJTnFB4ZYJy1ju6KAqjZ2GEDI4F2 oP4cqB7p2NVxNFVKtka2ZCLea/hYC5j2+H6SyqNT3e1bgrik8048xNXnyKb1q8Wv NMJN6w+DdMHhBmYnQ30/iRkvzxGazAE5g3VyLwCwt74IUToVqtcnBXz6kwzkV3ic 6X85eacUuFzmpFfa2//pOh3GOJQ0Efhxe0VN/fMcIuFXFRLmC+eBfvrQFe7Il3Oy MNNARtjxi+1hmQdNKkDTz9iiIzvmngOnu1NaJI6Y2TYNSi3HvKvPB2ThFyn8qHBk B4hIdUXub8HevPyvPDNOLlxtLBkviQCjUGXsYgU6WhdUosF1KaOmVMZW42iQVOb+ fuyMOjG3Mj1M5C1h6/pimFFcpnqDLwc+N6Kg+Ddum6fQZE1HCjkC1w5XKIhXSsT7 UysknRs2gnqemIZj/+vvG5AoUJV3fMDPsprzOSHd+Lwu3ljx+f0ulH9KpaiW8o/S ZImBKkPk1TDqE92uf4DUmghh7DlJb3suYMc1iqpFVefihla13c0eWnn5WNvIGIt+ vnu0xxG40oO0V26SwdpKqENVjiVxyC5vuhzbGTEIVS0QgLmaKZc4z3Apjgz7+0ZZ 8v+Csyul8OKGXldoTX/Z+6gG3psrwr+7YtS9v+9FlEgXk8ieehs= =mBYS -----END PGP SIGNATURE----- --n8g4imXOkfNTN/H1--