unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: Re: 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
Date: Sun, 11 Dec 2016 01:02:14 -0500	[thread overview]
Message-ID: <20161211060214.GA30740@jasmine> (raw)
In-Reply-To: <20161210200324.4B8C12201B9@vcs.savannah.gnu.org>

On Sat, Dec 10, 2016 at 08:03:24PM +0000, Efraim Flashner wrote:
> efraim pushed a commit to branch master
> in repository guix.
> 
> commit a304b6c362dcfadfaa2cfe2a67f5e948f247fd51
> Author: Efraim Flashner <efraim@flashner.co.il>
> Date:   Sat Dec 10 21:45:29 2016 +0200
> 
>     gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
>     
>     * gnu/packages/image.scm (openjpeg)[replacement]: New field.
>     (openjpeg/fixed): New variable, patch against CVE-2016-9850,
>     CVE-2016-9851.
>     * gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch: New file.
>     * gnu/local.mk (dist_patch_DATA): Register it.

I think this patch should have been sent to guix-devel for review. 

The patches are from a 3rd-party repository. The author does seem to
have a relationship to the OpenJPEG project (from past commits), but
nobody else from OpenJPEG commented on these changes yet:

https://github.com/uclouvain/openjpeg/issues/871
https://github.com/uclouvain/openjpeg/issues/872
https://github.com/uclouvain/openjpeg/pull/873/files

While poking around, I noticed there is a newer OpenJPEG release
(2.1.2), and a bunch of recent bugs:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg

Especial CVE-2016-8332:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8332

       reply	other threads:[~2016-12-11  6:02 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20161210200323.4764.51747@vcs.savannah.gnu.org>
     [not found] ` <20161210200324.4B8C12201B9@vcs.savannah.gnu.org>
2016-12-11  6:02   ` Leo Famulari [this message]
2016-12-11  7:13     ` 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851} Leo Famulari
2016-12-11  7:55     ` Efraim Flashner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161211060214.GA30740@jasmine \
    --to=leo@famulari.name \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).