From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: cairo CVE-2016-9082
Date: Mon, 28 Nov 2016 22:06:41 -0500
Message-ID: <20161129030641.GA22954@jasmine>
References: <20161128185211.GC2509@macbook42.flashner.co.il>
	<20161128193053.GD2509@macbook42.flashner.co.il>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="n8g4imXOkfNTN/H1"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41400)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cBYkp-0006mh-B2
	for guix-devel@gnu.org; Mon, 28 Nov 2016 22:06:48 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cBYkm-0005ye-1V
	for guix-devel@gnu.org; Mon, 28 Nov 2016 22:06:47 -0500
Received: from out5-smtp.messagingengine.com ([66.111.4.29]:39253)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1cBYkl-0005yK-RC
	for guix-devel@gnu.org; Mon, 28 Nov 2016 22:06:43 -0500
Content-Disposition: inline
In-Reply-To: <20161128193053.GD2509@macbook42.flashner.co.il>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: guix-devel@gnu.org


--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Mon, Nov 28, 2016 at 09:30:53PM +0200, Efraim Flashner wrote:
> The previous patch somehow stopped working for me, and I was getting
> complaints about unbound variable cairo/fixed, so I rewrote the patch to
> have every cairo use the patch separately.

Thanks for taking on this tricky bug fix!

> diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch b/gnu/packages/patches/cairo-CVE-2016-9082.patch

Please add a link to the patch source in the patch file. I know it can
be found in the linked bug report, but it does help readers to be
explicit, in my opinion.

Otherwise LGTM.

The patch is not in the cairo repo yet, AFAICT:

https://cgit.freedesktop.org/cairo/

But, Debian did use it:

https://anonscm.debian.org/cgit/collab-maint/cairo.git/tree/debian/patches/07_CVE-2016-9082.patch

Can you follow the upstream resolution of the bug in case they decide to
use a different patch?

--n8g4imXOkfNTN/H1
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlg88L4ACgkQJkb6MLrK
fwi6PxAAuFL84d7XPdbCR/QgvUg8kzDGVdfNLJTnFB4ZYJy1ju6KAqjZ2GEDI4F2
oP4cqB7p2NVxNFVKtka2ZCLea/hYC5j2+H6SyqNT3e1bgrik8048xNXnyKb1q8Wv
NMJN6w+DdMHhBmYnQ30/iRkvzxGazAE5g3VyLwCwt74IUToVqtcnBXz6kwzkV3ic
6X85eacUuFzmpFfa2//pOh3GOJQ0Efhxe0VN/fMcIuFXFRLmC+eBfvrQFe7Il3Oy
MNNARtjxi+1hmQdNKkDTz9iiIzvmngOnu1NaJI6Y2TYNSi3HvKvPB2ThFyn8qHBk
B4hIdUXub8HevPyvPDNOLlxtLBkviQCjUGXsYgU6WhdUosF1KaOmVMZW42iQVOb+
fuyMOjG3Mj1M5C1h6/pimFFcpnqDLwc+N6Kg+Ddum6fQZE1HCjkC1w5XKIhXSsT7
UysknRs2gnqemIZj/+vvG5AoUJV3fMDPsprzOSHd+Lwu3ljx+f0ulH9KpaiW8o/S
ZImBKkPk1TDqE92uf4DUmghh7DlJb3suYMc1iqpFVefihla13c0eWnn5WNvIGIt+
vnu0xxG40oO0V26SwdpKqENVjiVxyC5vuhzbGTEIVS0QgLmaKZc4z3Apjgz7+0ZZ
8v+Csyul8OKGXldoTX/Z+6gG3psrwr+7YtS9v+9FlEgXk8ieehs=
=mBYS
-----END PGP SIGNATURE-----

--n8g4imXOkfNTN/H1--