unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Re: 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
       [not found] ` <20161210200324.4B8C12201B9@vcs.savannah.gnu.org>
@ 2016-12-11  6:02   ` Leo Famulari
  2016-12-11  7:13     ` Leo Famulari
  2016-12-11  7:55     ` Efraim Flashner
  0 siblings, 2 replies; 3+ messages in thread
From: Leo Famulari @ 2016-12-11  6:02 UTC (permalink / raw)
  To: guix-devel

On Sat, Dec 10, 2016 at 08:03:24PM +0000, Efraim Flashner wrote:
> efraim pushed a commit to branch master
> in repository guix.
> 
> commit a304b6c362dcfadfaa2cfe2a67f5e948f247fd51
> Author: Efraim Flashner <efraim@flashner.co.il>
> Date:   Sat Dec 10 21:45:29 2016 +0200
> 
>     gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
>     
>     * gnu/packages/image.scm (openjpeg)[replacement]: New field.
>     (openjpeg/fixed): New variable, patch against CVE-2016-9850,
>     CVE-2016-9851.
>     * gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch: New file.
>     * gnu/local.mk (dist_patch_DATA): Register it.

I think this patch should have been sent to guix-devel for review. 

The patches are from a 3rd-party repository. The author does seem to
have a relationship to the OpenJPEG project (from past commits), but
nobody else from OpenJPEG commented on these changes yet:

https://github.com/uclouvain/openjpeg/issues/871
https://github.com/uclouvain/openjpeg/issues/872
https://github.com/uclouvain/openjpeg/pull/873/files

While poking around, I noticed there is a newer OpenJPEG release
(2.1.2), and a bunch of recent bugs:

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg

Especial CVE-2016-8332:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8332

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
  2016-12-11  6:02   ` 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851} Leo Famulari
@ 2016-12-11  7:13     ` Leo Famulari
  2016-12-11  7:55     ` Efraim Flashner
  1 sibling, 0 replies; 3+ messages in thread
From: Leo Famulari @ 2016-12-11  7:13 UTC (permalink / raw)
  To: guix-devel

On Sun, Dec 11, 2016 at 01:02:14AM -0500, Leo Famulari wrote:
> While poking around, I noticed there is a newer OpenJPEG release
> (2.1.2), and a bunch of recent bugs:
> 
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg
> 
> Especial CVE-2016-8332:
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8332

I updated the replacement package to version 2.1.2 in
0e8b7b1c351a2307bfc33211b4d76dbe7dfa01ef.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
  2016-12-11  6:02   ` 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851} Leo Famulari
  2016-12-11  7:13     ` Leo Famulari
@ 2016-12-11  7:55     ` Efraim Flashner
  1 sibling, 0 replies; 3+ messages in thread
From: Efraim Flashner @ 2016-12-11  7:55 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1900 bytes --]

On Sun, Dec 11, 2016 at 01:02:14AM -0500, Leo Famulari wrote:
> On Sat, Dec 10, 2016 at 08:03:24PM +0000, Efraim Flashner wrote:
> > efraim pushed a commit to branch master
> > in repository guix.
> > 
> > commit a304b6c362dcfadfaa2cfe2a67f5e948f247fd51
> > Author: Efraim Flashner <efraim@flashner.co.il>
> > Date:   Sat Dec 10 21:45:29 2016 +0200
> > 
> >     gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
> >     
> >     * gnu/packages/image.scm (openjpeg)[replacement]: New field.
> >     (openjpeg/fixed): New variable, patch against CVE-2016-9850,
> >     CVE-2016-9851.
> >     * gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch: New file.
> >     * gnu/local.mk (dist_patch_DATA): Register it.
> 
> I think this patch should have been sent to guix-devel for review. 
> 
> The patches are from a 3rd-party repository. The author does seem to
> have a relationship to the OpenJPEG project (from past commits), but
> nobody else from OpenJPEG commented on these changes yet:
> 
> https://github.com/uclouvain/openjpeg/issues/871
> https://github.com/uclouvain/openjpeg/issues/872
> https://github.com/uclouvain/openjpeg/pull/873/files

You're right, I should've been more careful with that.

> 
> While poking around, I noticed there is a newer OpenJPEG release
> (2.1.2), and a bunch of recent bugs:
> 
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg
> 
> Especial CVE-2016-8332:
> 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8332
> 

Good catch, I noticed that there was a newer version, but for some
reason I never even thought to use the newer release as the base for the
replacement.


-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-12-11  7:56 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20161210200323.4764.51747@vcs.savannah.gnu.org>
     [not found] ` <20161210200324.4B8C12201B9@vcs.savannah.gnu.org>
2016-12-11  6:02   ` 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851} Leo Famulari
2016-12-11  7:13     ` Leo Famulari
2016-12-11  7:55     ` Efraim Flashner

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).