* openjpeg-2 security updates vs stale openjpeg-1
@ 2017-09-06 19:18 Mark H Weaver
2017-09-12 8:04 ` Ludovic Courtès
0 siblings, 1 reply; 2+ messages in thread
From: Mark H Weaver @ 2017-09-06 19:18 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1: Type: text/plain, Size: 952 bytes --]
We've recently applied several security updates to openjpeg-2, but our
'poppler' and 'tracker' packages still use openjpeg-1 which is more than
a year old, and presumably has most of the same security issues.
In the case of 'poppler', apparently upstream says that openjpeg-1 is
preferred because of some regressions when using openjpeg-2.
Personally, I'm much more concerned about my machine being compromised
by a malicious PDF file than about these regressions.
I'm also very concerned about GNOME-3's 'tracker' automatically decoding
jpeg files using a buggy openjpeg-1.
I've just rebuilt my x86_64 GuixSD system to use 'openjpeg' from git
(since I see many more fixes there that look security-relevant), and to
use this fresh openjpeg in both 'poppler' and 'tracker'. Unfortunately,
the 'poppler' change required a massive rebuild, but with these updates
my system seems to work just fine.
I've attached my preliminary patches.
Mark
[-- Attachment #2: [PATCH 1/3] gnu: openjpeg: Update to 2.2.0-1.3a382d312 --]
[-- Type: text/x-patch, Size: 16244 bytes --]
From abd9df8c4623cc44ef77be69977e2635c0fdd3bf Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Mon, 4 Sep 2017 23:48:55 -0400
Subject: [PATCH 1/3] gnu: openjpeg: Update to 2.2.0-1.3a382d312.
* gnu/packages/image.scm (openjpeg): Switch to using a git checkout, and
update to 2.2.0-1.3a382d312. Remove patches.
* gnu/packages/patches/openjpeg-CVE-2017-12982.patch,
gnu/packages/patches/openjpeg-CVE-2017-14040.patch,
gnu/packages/patches/openjpeg-CVE-2017-14041.patch,
gnu/packages/patches/openjpeg-CVE-2017-14151.patch,
gnu/packages/patches/openjpeg-CVE-2017-14152.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
gnu/local.mk | 5 --
gnu/packages/image.scm | 48 ++++++-------
gnu/packages/patches/openjpeg-CVE-2017-12982.patch | 28 --------
gnu/packages/patches/openjpeg-CVE-2017-14040.patch | 83 ----------------------
gnu/packages/patches/openjpeg-CVE-2017-14041.patch | 25 -------
gnu/packages/patches/openjpeg-CVE-2017-14151.patch | 46 ------------
gnu/packages/patches/openjpeg-CVE-2017-14152.patch | 38 ----------
7 files changed, 22 insertions(+), 251 deletions(-)
delete mode 100644 gnu/packages/patches/openjpeg-CVE-2017-12982.patch
delete mode 100644 gnu/packages/patches/openjpeg-CVE-2017-14040.patch
delete mode 100644 gnu/packages/patches/openjpeg-CVE-2017-14041.patch
delete mode 100644 gnu/packages/patches/openjpeg-CVE-2017-14151.patch
delete mode 100644 gnu/packages/patches/openjpeg-CVE-2017-14152.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 19077279a..7942993d9 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -899,11 +899,6 @@ dist_patch_DATA = \
%D%/packages/patches/ola-readdir-r.patch \
%D%/packages/patches/openscenegraph-ffmpeg3.patch \
%D%/packages/patches/openexr-missing-samples.patch \
- %D%/packages/patches/openjpeg-CVE-2017-12982.patch \
- %D%/packages/patches/openjpeg-CVE-2017-14040.patch \
- %D%/packages/patches/openjpeg-CVE-2017-14041.patch \
- %D%/packages/patches/openjpeg-CVE-2017-14151.patch \
- %D%/packages/patches/openjpeg-CVE-2017-14152.patch \
%D%/packages/patches/openldap-CVE-2017-9287.patch \
%D%/packages/patches/openocd-nrf52.patch \
%D%/packages/patches/openssl-runpath.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 3bb8de15c..0195ab2bd 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2017 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2013, 2015, 2016 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016, 2017 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014, 2015 Alex Kost <alezost@gmail.com>
;;; Copyright © 2014, 2016, 2017 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2015 Taylan Ulrich Bayırlı/Kammer <taylanbayirli@gmail.com>
@@ -507,35 +507,31 @@ work.")
(license license:gpl2+)))
(define-public openjpeg
- (package
- (name "openjpeg")
- (version "2.2.0")
- (source
- (origin
- (method url-fetch)
- (uri
- (string-append "https://github.com/uclouvain/openjpeg/archive/v"
- version ".tar.gz"))
- (file-name (string-append name "-" version ".tar.gz"))
- (sha256
- (base32
- "0yvfghxwfm3dcqr9krkw63pcd76hzkknc3fh7bh11s8qlvjvrpbg"))
- (patches (search-patches "openjpeg-CVE-2017-12982.patch"
- "openjpeg-CVE-2017-14040.patch"
- "openjpeg-CVE-2017-14041.patch"
- "openjpeg-CVE-2017-14151.patch"
- "openjpeg-CVE-2017-14152.patch"))))
- (build-system cmake-build-system)
- (arguments
+ (let ((commit "3a382d312306f45853b3ad78b770754d4bc7e440")
+ (revision "1"))
+ (package
+ (name "openjpeg")
+ (version (string-append "2.2.0-" revision "." (string-take commit 9)))
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/uclouvain/openjpeg")
+ (commit commit)))
+ (file-name (string-append name "-" version "-checkout"))
+ (sha256
+ (base32
+ "1w3xpwhf3ik07g9xmzpy6l24zi79p78sih2mz8j398z64k546yd7"))))
+ (build-system cmake-build-system)
+ (arguments
;; Trying to run `$ make check' results in a no rule fault.
'(#:tests? #f))
- (inputs
+ (inputs
`(("lcms" ,lcms)
("libpng" ,libpng)
("libtiff" ,libtiff)
("zlib" ,zlib)))
- (synopsis "JPEG 2000 codec")
- (description
+ (synopsis "JPEG 2000 codec")
+ (description
"The OpenJPEG library is a JPEG 2000 codec written in C. It has
been developed in order to promote the use of JPEG 2000, the new
still-image compression standard from the Joint Photographic Experts
@@ -545,8 +541,8 @@ In addition to the basic codec, various other features are under
development, among them the JP2 and MJ2 (Motion JPEG 2000) file formats,
an indexing tool useful for the JPIP protocol, JPWL-tools for
error-resilience, a Java-viewer for j2k-images, ...")
- (home-page "https://github.com/uclouvain/openjpeg")
- (license license:bsd-2)))
+ (home-page "https://github.com/uclouvain/openjpeg")
+ (license license:bsd-2))))
(define-public openjpeg-1
(package (inherit openjpeg)
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-12982.patch b/gnu/packages/patches/openjpeg-CVE-2017-12982.patch
deleted file mode 100644
index 3929a7357..000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-12982.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/21/1
-https://github.com/uclouvain/openjpeg/commit/baf0c1ad4572daa89caa3b12985bdd93530f0dd7.patch
-
-From baf0c1ad4572daa89caa3b12985bdd93530f0dd7 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Mon, 14 Aug 2017 17:26:58 +0200
-Subject: [PATCH] bmp_read_info_header(): reject bmp files with biBitCount == 0
- (#983)
-
----
- src/bin/jp2/convertbmp.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/bin/jp2/convertbmp.c b/src/bin/jp2/convertbmp.c
-index b49e7a080..2715fdf24 100644
---- a/src/bin/jp2/convertbmp.c
-+++ b/src/bin/jp2/convertbmp.c
-@@ -392,6 +392,10 @@ static OPJ_BOOL bmp_read_info_header(FILE* IN, OPJ_BITMAPINFOHEADER* header)
-
- header->biBitCount = (OPJ_UINT16)getc(IN);
- header->biBitCount |= (OPJ_UINT16)((OPJ_UINT32)getc(IN) << 8);
-+ if (header->biBitCount == 0) {
-+ fprintf(stderr, "Error, invalid biBitCount %d\n", 0);
-+ return OPJ_FALSE;
-+ }
-
- if (header->biSize >= 40U) {
- header->biCompression = (OPJ_UINT32)getc(IN);
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14040.patch b/gnu/packages/patches/openjpeg-CVE-2017-14040.patch
deleted file mode 100644
index bd7473ba0..000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14040.patch
+++ /dev/null
@@ -1,83 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/28/3
-https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281.patch
-
-From 2cd30c2b06ce332dede81cccad8b334cde997281 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Thu, 17 Aug 2017 11:47:40 +0200
-Subject: [PATCH] tgatoimage(): avoid excessive memory allocation attempt, and
- fixes unaligned load (#995)
-
----
- src/bin/jp2/convert.c | 39 +++++++++++++++++++++++++++------------
- 1 file changed, 27 insertions(+), 12 deletions(-)
-
-diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
-index a4eb81f6a..73dfc8d5f 100644
---- a/src/bin/jp2/convert.c
-+++ b/src/bin/jp2/convert.c
-@@ -580,13 +580,10 @@ struct tga_header {
- };
- #endif /* INFORMATION_ONLY */
-
--static unsigned short get_ushort(const unsigned char *data)
-+/* Returns a ushort from a little-endian serialized value */
-+static unsigned short get_tga_ushort(const unsigned char *data)
- {
-- unsigned short val = *(const unsigned short *)data;
--#ifdef OPJ_BIG_ENDIAN
-- val = ((val & 0xffU) << 8) | (val >> 8);
--#endif
-- return val;
-+ return data[0] | (data[1] << 8);
- }
-
- #define TGA_HEADER_SIZE 18
-@@ -613,17 +610,17 @@ static int tga_readheader(FILE *fp, unsigned int *bits_per_pixel,
- id_len = tga[0];
- /*cmap_type = tga[1];*/
- image_type = tga[2];
-- /*cmap_index = get_ushort(&tga[3]);*/
-- cmap_len = get_ushort(&tga[5]);
-+ /*cmap_index = get_tga_ushort(&tga[3]);*/
-+ cmap_len = get_tga_ushort(&tga[5]);
- cmap_entry_size = tga[7];
-
-
- #if 0
-- x_origin = get_ushort(&tga[8]);
-- y_origin = get_ushort(&tga[10]);
-+ x_origin = get_tga_ushort(&tga[8]);
-+ y_origin = get_tga_ushort(&tga[10]);
- #endif
-- image_w = get_ushort(&tga[12]);
-- image_h = get_ushort(&tga[14]);
-+ image_w = get_tga_ushort(&tga[12]);
-+ image_h = get_tga_ushort(&tga[14]);
- pixel_depth = tga[16];
- image_desc = tga[17];
-
-@@ -817,6 +814,24 @@ opj_image_t* tgatoimage(const char *filename, opj_cparameters_t *parameters)
- color_space = OPJ_CLRSPC_SRGB;
- }
-
-+ /* If the declared file size is > 10 MB, check that the file is big */
-+ /* enough to avoid excessive memory allocations */
-+ if (image_height != 0 && image_width > 10000000 / image_height / numcomps) {
-+ char ch;
-+ OPJ_UINT64 expected_file_size =
-+ (OPJ_UINT64)image_width * image_height * numcomps;
-+ long curpos = ftell(f);
-+ if (expected_file_size > (OPJ_UINT64)INT_MAX) {
-+ expected_file_size = (OPJ_UINT64)INT_MAX;
-+ }
-+ fseek(f, (long)expected_file_size - 1, SEEK_SET);
-+ if (fread(&ch, 1, 1, f) != 1) {
-+ fclose(f);
-+ return NULL;
-+ }
-+ fseek(f, curpos, SEEK_SET);
-+ }
-+
- subsampling_dx = parameters->subsampling_dx;
- subsampling_dy = parameters->subsampling_dy;
-
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14041.patch b/gnu/packages/patches/openjpeg-CVE-2017-14041.patch
deleted file mode 100644
index 6e3fccf3c..000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14041.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-http://openwall.com/lists/oss-security/2017/08/28/4
-https://github.com/uclouvain/openjpeg/commit/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9.patch
-
-From e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Fri, 18 Aug 2017 13:39:20 +0200
-Subject: [PATCH] pgxtoimage(): fix write stack buffer overflow (#997)
-
----
- src/bin/jp2/convert.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/bin/jp2/convert.c b/src/bin/jp2/convert.c
-index 5459f7d44..e606c9be7 100644
---- a/src/bin/jp2/convert.c
-+++ b/src/bin/jp2/convert.c
-@@ -1185,7 +1185,7 @@ opj_image_t* pgxtoimage(const char *filename, opj_cparameters_t *parameters)
- }
-
- fseek(f, 0, SEEK_SET);
-- if (fscanf(f, "PG%[ \t]%c%c%[ \t+-]%d%[ \t]%d%[ \t]%d", temp, &endian1,
-+ if (fscanf(f, "PG%31[ \t]%c%c%31[ \t+-]%d%31[ \t]%d%31[ \t]%d", temp, &endian1,
- &endian2, signtmp, &prec, temp, &w, temp, &h) != 9) {
- fclose(f);
- fprintf(stderr,
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14151.patch b/gnu/packages/patches/openjpeg-CVE-2017-14151.patch
deleted file mode 100644
index 4fcf6af6d..000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14151.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9.patch
-http://openwall.com/lists/oss-security/2017/09/06/1
-
-From afb308b9ccbe129608c9205cf3bb39bbefad90b9 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Mon, 14 Aug 2017 17:20:37 +0200
-Subject: [PATCH] Encoder: grow buffer size in
- opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in
- opj_mqc_flush (#982)
-
----
- src/lib/openjp2/tcd.c | 7 +++++--
- tests/nonregression/test_suite.ctest.in | 2 ++
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/lib/openjp2/tcd.c b/src/lib/openjp2/tcd.c
-index 301c7213e..53cdcf64d 100644
---- a/src/lib/openjp2/tcd.c
-+++ b/src/lib/openjp2/tcd.c
-@@ -1187,8 +1187,11 @@ static OPJ_BOOL opj_tcd_code_block_enc_allocate_data(opj_tcd_cblk_enc_t *
- {
- OPJ_UINT32 l_data_size;
-
-- /* The +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
-- l_data_size = 1 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
-+ /* +1 is needed for https://github.com/uclouvain/openjpeg/issues/835 */
-+ /* and actually +2 required for https://github.com/uclouvain/openjpeg/issues/982 */
-+ /* TODO: is there a theoretical upper-bound for the compressed code */
-+ /* block size ? */
-+ l_data_size = 2 + (OPJ_UINT32)((p_code_block->x1 - p_code_block->x0) *
- (p_code_block->y1 - p_code_block->y0) * (OPJ_INT32)sizeof(OPJ_UINT32));
-
- if (l_data_size > p_code_block->data_size) {
-diff --git a/tests/nonregression/test_suite.ctest.in b/tests/nonregression/test_suite.ctest.in
-index aaf40d7d0..ffd964c2a 100644
---- a/tests/nonregression/test_suite.ctest.in
-+++ b/tests/nonregression/test_suite.ctest.in
-@@ -169,6 +169,8 @@ opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_ban
- # Same rate as Bretagne2_4.j2k
- opj_compress -i @INPUT_NR_PATH@/Bretagne2.ppm -o @TEMP_PATH@/Bretagne2_empty_band_r800.j2k -t 2591,1943 -n 2 -r 800
-
-+opj_compress -i @INPUT_NR_PATH@/issue982.bmp -o @TEMP_PATH@/issue982.j2k -n 1
-+
- # DECODER TEST SUITE
- opj_decompress -i @INPUT_NR_PATH@/Bretagne2.j2k -o @TEMP_PATH@/Bretagne2.j2k.pgx
- opj_decompress -i @INPUT_NR_PATH@/_00042.j2k -o @TEMP_PATH@/_00042.j2k.pgx
diff --git a/gnu/packages/patches/openjpeg-CVE-2017-14152.patch b/gnu/packages/patches/openjpeg-CVE-2017-14152.patch
deleted file mode 100644
index 6c083be12..000000000
--- a/gnu/packages/patches/openjpeg-CVE-2017-14152.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154.patch
-http://openwall.com/lists/oss-security/2017/09/06/2
-
-From 4241ae6fbbf1de9658764a80944dc8108f2b4154 Mon Sep 17 00:00:00 2001
-From: Even Rouault <even.rouault@spatialys.com>
-Date: Tue, 15 Aug 2017 11:55:58 +0200
-Subject: [PATCH] Fix assertion in debug mode / heap-based buffer overflow in
- opj_write_bytes_LE for Cinema profiles with numresolutions = 1 (#985)
-
----
- src/lib/openjp2/j2k.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/src/lib/openjp2/j2k.c b/src/lib/openjp2/j2k.c
-index a2521ebbc..54b490a8c 100644
---- a/src/lib/openjp2/j2k.c
-+++ b/src/lib/openjp2/j2k.c
-@@ -6573,10 +6573,16 @@ static void opj_j2k_set_cinema_parameters(opj_cparameters_t *parameters,
-
- /* Precincts */
- parameters->csty |= 0x01;
-- parameters->res_spec = parameters->numresolution - 1;
-- for (i = 0; i < parameters->res_spec; i++) {
-- parameters->prcw_init[i] = 256;
-- parameters->prch_init[i] = 256;
-+ if (parameters->numresolution == 1) {
-+ parameters->res_spec = 1;
-+ parameters->prcw_init[0] = 128;
-+ parameters->prch_init[0] = 128;
-+ } else {
-+ parameters->res_spec = parameters->numresolution - 1;
-+ for (i = 0; i < parameters->res_spec; i++) {
-+ parameters->prcw_init[i] = 256;
-+ parameters->prch_init[i] = 256;
-+ }
- }
-
- /* The progression order shall be CPRL */
--
2.14.1
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: [PATCH 2/3] gnu: tracker: Use openjpeg-2 --]
[-- Type: text/x-patch, Size: 838 bytes --]
From 3e4e9fb6034d7a8230f1e861cc3b338ff4aadd13 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Mon, 4 Sep 2017 23:48:02 -0400
Subject: [PATCH 2/3] gnu: tracker: Use openjpeg-2.
* gnu/packages/gnome.scm (tracker)[inputs]: Use 'openjpeg' instead of
'openjpeg-1'.
---
gnu/packages/gnome.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index 339436f27..d86c578d8 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -5588,7 +5588,7 @@ easy, safe, and automatic.")
("libunistring" ,libunistring)
("giflib" ,giflib)
("json-glib" ,json-glib)
- ("openjpeg" ,openjpeg-1)
+ ("openjpeg" ,openjpeg)
("libosinfo" ,libosinfo)
("libcue" ,libcue)
("libseccomp" ,libseccomp)
--
2.14.1
[-- Attachment #4: [PATCH 3/3] gnu: poppler: Use openjpeg-2 --]
[-- Type: text/x-patch, Size: 2750 bytes --]
From 73ed8c7a0fd5a3818fd181f71f6fe02659c2da9b Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Mon, 4 Sep 2017 23:47:33 -0400
Subject: [PATCH 3/3] gnu: poppler: Use openjpeg-2.
* gnu/packages/pdf.scm (poppler)[inputs]: Use 'openjpeg' instead of
'openjpeg-1'.
[arguments]: Rewrite 'setenv' phase to work with any version of openjpeg.
---
gnu/packages/pdf.scm | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index 5e52d87ca..ea1e0a327 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2015, 2016 Andreas Enge <andreas@enge.fr>
-;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2017 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014, 2015, 2016 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2015 Paul van der Walt <paul@denknerd.org>
;;; Copyright © 2016 Roel Janssen <roel@gnu.org>
@@ -93,7 +93,7 @@
("libpng" ,libpng)
("libtiff" ,libtiff)
("lcms" ,lcms)
- ("openjpeg-1" ,openjpeg-1) ; prefers openjpeg-1
+ ("openjpeg" ,openjpeg)
("zlib" ,zlib)
;; To build poppler-glib (as needed by Evince), we need Cairo and
@@ -117,11 +117,20 @@
#:phases
(modify-phases %standard-phases
(add-before 'configure 'setenv
- (lambda _
- (setenv "CPATH"
- (string-append (assoc-ref %build-inputs "openjpeg-1")
- "/include/openjpeg-1.5"
- ":" (or (getenv "CPATH") "")))
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let* ((openjpeg (assoc-ref inputs "openjpeg"))
+ (top-include-dir (string-append openjpeg "/include"))
+ (include-dirs (map dirname (find-files top-include-dir
+ "^openjpeg.h$")))
+ (old-CPATH (getenv "CPATH")))
+ (unless (= 1 (length include-dirs))
+ (error "Unable to determine location of openjpeg.h"))
+ (format #t "Prepending ~s to CPATH~%" (car include-dirs))
+ (setenv "CPATH"
+ (string-append (car include-dirs)
+ (if old-CPATH
+ (string-append ":" old-CPATH)
+ ""))))
#t)))))
(synopsis "PDF rendering library")
(description
--
2.14.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: openjpeg-2 security updates vs stale openjpeg-1
2017-09-06 19:18 openjpeg-2 security updates vs stale openjpeg-1 Mark H Weaver
@ 2017-09-12 8:04 ` Ludovic Courtès
0 siblings, 0 replies; 2+ messages in thread
From: Ludovic Courtès @ 2017-09-12 8:04 UTC (permalink / raw)
To: Mark H Weaver; +Cc: guix-devel
Hi Mark,
Mark H Weaver <mhw@netris.org> skribis:
> I've just rebuilt my x86_64 GuixSD system to use 'openjpeg' from git
> (since I see many more fixes there that look security-relevant), and to
> use this fresh openjpeg in both 'poppler' and 'tracker'. Unfortunately,
> the 'poppler' change required a massive rebuild, but with these updates
> my system seems to work just fine.
>
> I've attached my preliminary patches.
>
> Mark
>
> From abd9df8c4623cc44ef77be69977e2635c0fdd3bf Mon Sep 17 00:00:00 2001
> From: Mark H Weaver <mhw@netris.org>
> Date: Mon, 4 Sep 2017 23:48:55 -0400
> Subject: [PATCH 1/3] gnu: openjpeg: Update to 2.2.0-1.3a382d312.
>
> * gnu/packages/image.scm (openjpeg): Switch to using a git checkout, and
> update to 2.2.0-1.3a382d312. Remove patches.
> * gnu/packages/patches/openjpeg-CVE-2017-12982.patch,
> gnu/packages/patches/openjpeg-CVE-2017-14040.patch,
> gnu/packages/patches/openjpeg-CVE-2017-14041.patch,
> gnu/packages/patches/openjpeg-CVE-2017-14151.patch,
> gnu/packages/patches/openjpeg-CVE-2017-14152.patch: Delete files.
> * gnu/local.mk (dist_patch_DATA): Remove them.
Should we graft this openjpeg variant? “openjpeg@1” has 1,810
dependents.
Thanks for the heads-up, and apologies for the delay!
Ludo’.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-09-12 8:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-06 19:18 openjpeg-2 security updates vs stale openjpeg-1 Mark H Weaver
2017-09-12 8:04 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).