From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH] gnu: mupdf: Fix some security problems in bundled mujs. Date: Sun, 15 Jan 2017 20:27:10 -0500 Message-ID: <20170116012710.GA11035@jasmine> References: <20170112180655.1588-1-mbakke@fastmail.com> <20170112183017.GB23706@jasmine> <87wpe05adv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170112200346.GA11411@jasmine> <87shonai6b.fsf@netris.org> <20170115184717.GA29718@jasmine> <87lgucxhwz.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170115204922.GB4522@jasmine> <8737gjkjq9.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37617) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cSw4q-0003Md-PE for guix-devel@gnu.org; Sun, 15 Jan 2017 20:27:17 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cSw4m-0008LJ-S2 for guix-devel@gnu.org; Sun, 15 Jan 2017 20:27:16 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:57642) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cSw4m-0008LE-Jn for guix-devel@gnu.org; Sun, 15 Jan 2017 20:27:12 -0500 Content-Disposition: inline In-Reply-To: <8737gjkjq9.fsf@netris.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mark H Weaver Cc: guix-devel@gnu.org --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jan 15, 2017 at 06:05:02PM -0500, Mark H Weaver wrote: > Hi Leo, >=20 > Leo Famulari writes: >=20 > > From 34cc0dc9d9451d540f8733ebca2a3db54a073aa0 Mon Sep 17 00:00:00 2001 > > From: Marius Bakke > > Date: Thu, 12 Jan 2017 19:06:55 +0100 > > Subject: [PATCH 1/2] gnu: mupdf: Fix CVE-2016-{10132,10133} in bundled = mujs. > > > > * gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch, > > gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch: New files. > > * gnu/local.mk (dist_patch_DATA): Add them. > > * gnu/packages/pdf.scm (mupdf)[replacement]: New field. >=20 > We should indeed add a 'replacement' field to 'mupdf', but that part of > the patch seems to have gotten lost: I suspected something was wrong. Thank you for catching this. And thanks to Marius as well! I'm happy to be collaborating on these commits. I pushed the changes as 8afabb2eca954af6fbba8c6ae37e8f0bc3047840. --vtzGhvizbBRQ85DL Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlh8IW4ACgkQJkb6MLrK fwjFKg//ekaWF5zD9D/Kd8/q6k4e7SUO2yGCTezUh5X5Db0yOBBjM3XEmD8LEkAj cdHD/uuGJkTG13RTLxKPf6xYYhoJTNtsnbhQ4aO3Kxefpz5mgAgbe7dwVaaz1Tjq fMLe4z8RBWJI6zWjKJdRUcud+Qp4O2f53NcqqbsDHDcXPJhlXAX1rQThnKjAJKR4 1owak1w3bj7sMW0WfakIeX6Ue2qEi3gGYrvVc06v92JjfusCHXH+/Fx3AraDuH9Z 5xigL+slRJttbhIavpdlpVLCavAecdVu38ixDAvi72y7itYim8qhWQb1kmXCF3FC KQ9+PQU7/oUQffAQHal9pklkz5niNcOv5c/y4ei2L74LUqpfQijZIEayTxWysYAg Yqj2/3CtLjRtljMaN2+ap6q1Ng1aVhEeZOGXtvSROC9Kr0+aTfMGpGfatyL5YFiT yxLvmil+8Y1mSL1KHzApweOr/Xn4BmWOsnq1b7HycSJss11NmUpZRiUko7GxjsV5 2BVdbL0+lJYWgxeTfBQCGW6PlxLsby1f09WDJXudfHyMPjIbLml8f4Z6Rz11qyXz dU9jML8FaxICzAUU+/hu3cb1ZOLhpBs3zDg0jn9kb69FaK1SzHeJGU4fPoG9Px4f oLIX9+SbshMsH8HWNDiA40BxmPkyQuwPLXCdhRTH3+t4FzYFDdk= =I4mT -----END PGP SIGNATURE----- --vtzGhvizbBRQ85DL--