From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: v2: OpenJPEG security fixes (CVE-2016-{5157,7163})
Date: Sat, 10 Sep 2016 00:34:39 +0200
Message-ID: <8760q4r9c0.fsf@gnu.org>
References: <cover.1473400918.git.leo@famulari.name>
	<20160909180458.GA2732@jasmine> <20160909202639.GA2000@jasmine>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49665)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1biUNj-00081n-EV
	for guix-devel@gnu.org; Fri, 09 Sep 2016 18:34:48 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1biUNe-0006Hb-7H
	for guix-devel@gnu.org; Fri, 09 Sep 2016 18:34:46 -0400
In-Reply-To: <20160909202639.GA2000@jasmine> (Leo Famulari's message of "Fri,
	9 Sep 2016 16:26:39 -0400")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

Leo Famulari <leo@famulari.name> skribis:

> On Fri, Sep 09, 2016 at 02:04:58PM -0400, Leo Famulari wrote:
>> Also, the fix for CVE-2016-5157 does not apply to openjpeg-2.0. I'd like
>> to investigate this issue separately. The only user of openjpeg-2.0 is
>> mupdf.
>
> I think the best thing to do is update mupdf to the latest upstream
> release, 1.9a, make it use openjpeg@2.1, and remove openjpeg-2.0.

Yes, even better.

> Please see attached. These patches should be applied on top of the
> patches in the email that I am replying to.

The patches in question LGTM.

> From a357edf0f568acf937f2cd9f0e97269221aee3f2 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Fri, 9 Sep 2016 16:08:02 -0400
> Subject: [PATCH 1/2] gnu: mupdf: Update to 1.9a.
>
> * gnu/packages/pdf.scm (mupdf): Update to 1.9a.
> [source]: Use "mupdf-build-with-openjpeg-2.1.patch". Adjust snippet to
> preserve bundled 'thirdparty/mujs'.
> [inputs]: Add harfbuzz. Replace openjpeg-2.0 with openjpeg.
> * gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.

[...]

> From 8c201fd0392bee804bf11f7c07f4817e3766becd Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Fri, 9 Sep 2016 16:24:12 -0400
> Subject: [PATCH 2/2] gnu: Remove openjpeg-2.0.
>
> * gnu/packages/image.scm (openjpeg-2.0): Remove variable.

OK as well.

Thank you for handling this nicely!

Ludo=E2=80=99.