* Re: 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}. [not found] ` <20161210200324.4B8C12201B9@vcs.savannah.gnu.org> @ 2016-12-11 6:02 ` Leo Famulari 2016-12-11 7:13 ` Leo Famulari 2016-12-11 7:55 ` Efraim Flashner 0 siblings, 2 replies; 3+ messages in thread From: Leo Famulari @ 2016-12-11 6:02 UTC (permalink / raw) To: guix-devel On Sat, Dec 10, 2016 at 08:03:24PM +0000, Efraim Flashner wrote: > efraim pushed a commit to branch master > in repository guix. > > commit a304b6c362dcfadfaa2cfe2a67f5e948f247fd51 > Author: Efraim Flashner <efraim@flashner.co.il> > Date: Sat Dec 10 21:45:29 2016 +0200 > > gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}. > > * gnu/packages/image.scm (openjpeg)[replacement]: New field. > (openjpeg/fixed): New variable, patch against CVE-2016-9850, > CVE-2016-9851. > * gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch: New file. > * gnu/local.mk (dist_patch_DATA): Register it. I think this patch should have been sent to guix-devel for review. The patches are from a 3rd-party repository. The author does seem to have a relationship to the OpenJPEG project (from past commits), but nobody else from OpenJPEG commented on these changes yet: https://github.com/uclouvain/openjpeg/issues/871 https://github.com/uclouvain/openjpeg/issues/872 https://github.com/uclouvain/openjpeg/pull/873/files While poking around, I noticed there is a newer OpenJPEG release (2.1.2), and a bunch of recent bugs: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg Especial CVE-2016-8332: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8332 ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}. 2016-12-11 6:02 ` 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851} Leo Famulari @ 2016-12-11 7:13 ` Leo Famulari 2016-12-11 7:55 ` Efraim Flashner 1 sibling, 0 replies; 3+ messages in thread From: Leo Famulari @ 2016-12-11 7:13 UTC (permalink / raw) To: guix-devel On Sun, Dec 11, 2016 at 01:02:14AM -0500, Leo Famulari wrote: > While poking around, I noticed there is a newer OpenJPEG release > (2.1.2), and a bunch of recent bugs: > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg > > Especial CVE-2016-8332: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8332 I updated the replacement package to version 2.1.2 in 0e8b7b1c351a2307bfc33211b4d76dbe7dfa01ef. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}. 2016-12-11 6:02 ` 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851} Leo Famulari 2016-12-11 7:13 ` Leo Famulari @ 2016-12-11 7:55 ` Efraim Flashner 1 sibling, 0 replies; 3+ messages in thread From: Efraim Flashner @ 2016-12-11 7:55 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1900 bytes --] On Sun, Dec 11, 2016 at 01:02:14AM -0500, Leo Famulari wrote: > On Sat, Dec 10, 2016 at 08:03:24PM +0000, Efraim Flashner wrote: > > efraim pushed a commit to branch master > > in repository guix. > > > > commit a304b6c362dcfadfaa2cfe2a67f5e948f247fd51 > > Author: Efraim Flashner <efraim@flashner.co.il> > > Date: Sat Dec 10 21:45:29 2016 +0200 > > > > gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}. > > > > * gnu/packages/image.scm (openjpeg)[replacement]: New field. > > (openjpeg/fixed): New variable, patch against CVE-2016-9850, > > CVE-2016-9851. > > * gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch: New file. > > * gnu/local.mk (dist_patch_DATA): Register it. > > I think this patch should have been sent to guix-devel for review. > > The patches are from a 3rd-party repository. The author does seem to > have a relationship to the OpenJPEG project (from past commits), but > nobody else from OpenJPEG commented on these changes yet: > > https://github.com/uclouvain/openjpeg/issues/871 > https://github.com/uclouvain/openjpeg/issues/872 > https://github.com/uclouvain/openjpeg/pull/873/files You're right, I should've been more careful with that. > > While poking around, I noticed there is a newer OpenJPEG release > (2.1.2), and a bunch of recent bugs: > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg > > Especial CVE-2016-8332: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8332 > Good catch, I noticed that there was a newer version, but for some reason I never even thought to use the newer release as the base for the replacement. -- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-12-11 7:56 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- [not found] <20161210200323.4764.51747@vcs.savannah.gnu.org> [not found] ` <20161210200324.4B8C12201B9@vcs.savannah.gnu.org> 2016-12-11 6:02 ` 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851} Leo Famulari 2016-12-11 7:13 ` Leo Famulari 2016-12-11 7:55 ` Efraim Flashner
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).