From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Vong Subject: Re: [PATCH] gnu: lcms: Update to 2.8. Date: Sat, 11 Feb 2017 23:16:09 +0800 Message-ID: <87shnkg3ly.fsf@gmail.com> References: <87k28zmv50.fsf@gmail.com> <8760kjv4eq.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60764) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ccZPb-0006aK-Uy for guix-devel@gnu.org; Sat, 11 Feb 2017 10:16:33 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ccZPY-0000ay-Lk for guix-devel@gnu.org; Sat, 11 Feb 2017 10:16:31 -0500 Received: from mail-pg0-x242.google.com ([2607:f8b0:400e:c05::242]:34750) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ccZPY-0000aT-DS for guix-devel@gnu.org; Sat, 11 Feb 2017 10:16:28 -0500 Received: by mail-pg0-x242.google.com with SMTP id v184so5272781pgv.1 for ; Sat, 11 Feb 2017 07:16:26 -0800 (PST) In-Reply-To: <8760kjv4eq.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> (Marius Bakke's message of "Thu, 09 Feb 2017 15:13:01 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Marius Bakke writes: > Alex Vong writes: > >> Hi, >> >> This patch update lcms to 2.8: > > Thank you for this! > Thanks for the review too! >> Besides, the security bug in which 'lcms-fix-out-of-bounds-read.patch' >> fixed has been assigned CVE-2016-10165 according to [0], should we >> change the name of the patch? >> >> [0]: https://bugzilla.redhat.com/show_bug.cgi?id=1367357 > > Good catch. Would you like to do it? > > Could you submit this patch against the 'core-updates' branch? LCMS > causes ~1800 rebuilds which is too much for 'master'. The CVE patch has > also been 'un-grafted' in core-updates, so the context will be slightly > different. TIA! Sure, the patches are here: --=-=-= Content-Type: text/x-diff; charset=utf-8 Content-Disposition: inline; filename=0001-gnu-lcms-Update-to-2.8.patch Content-Transfer-Encoding: quoted-printable From=2022b5a7941975d7b1377c65aa096506c38b4efdf8 Mon Sep 17 00:00:00 2001 From: Alex Vong Date: Sat, 11 Feb 2017 22:45:38 +0800 Subject: [PATCH 1/2] gnu: lcms: Update to 2.8. * gnu/packages/ghostscript.scm (lcms): Update to 2.8. =2D-- gnu/packages/ghostscript.scm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gnu/packages/ghostscript.scm b/gnu/packages/ghostscript.scm index dcbed69e3..4b8e62348 100644 =2D-- a/gnu/packages/ghostscript.scm +++ b/gnu/packages/ghostscript.scm @@ -3,6 +3,7 @@ ;;; Copyright =C2=A9 2014, 2015, 2016 Mark H Weaver ;;; Copyright =C2=A9 2015 Ricardo Wurmus ;;; Copyright =C2=A9 2013, 2015, 2016 Ludovic Court=C3=A8s +;;; Copyright =C2=A9 2017 Alex Vong ;;; ;;; This file is part of GNU Guix. ;;; @@ -39,14 +40,14 @@ (define-public lcms (package (name "lcms") =2D (version "2.6") + (version "2.8") (source (origin (method url-fetch) (uri (string-append "mirror://sourceforge/lcms/lcms/" version "/lcms2-" version ".tar.gz")) (patches (search-patches "lcms-fix-out-of-bounds-read.patch")) (sha256 (base32 =2D "1c8lgq8gfs3nyplvbx9k8wzfj6r2bqi3f611vb1m8z3476454w= ji")))) + "08pvl289g0mbznzx5l6ibhaldsgx41kwvdn2c974ga9fkli2pl36= ")))) (build-system gnu-build-system) (inputs `(("libjpeg-8" ,libjpeg-8) ("libtiff" ,libtiff) =2D-=20 2.11.1 --=-=-= Content-Type: lcms Content-Disposition: attachment; filename=0002-gnu-lcms-Mention-CVE-2016-10165.patch Content-Transfer-Encoding: base64 RnJvbSA5ZTg4MzllNDRlZDNhYTk5YzgwYTgxYzk4MDk5Y2Y2MGRlOWI0OWUzIE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBBbGV4IFZvbmcgPGFsZXh2b25nMTk5NUBnbWFpbC5jb20+CkRh dGU6IFNhdCwgMTEgRmViIDIwMTcgMjI6NTg6MTkgKzA4MDAKU3ViamVjdDogW1BBVENIIDIvMl0g Z251OiBsY21zOiBNZW50aW9uIENWRS0yMDE2LTEwMTY1LgoKKiBnbnUvcGFja2FnZXMvcGF0Y2hl cy9sY21zLWZpeC1vdXQtb2YtYm91bmRzLXJlYWQucGF0Y2g6IFJlbmFtZSB0byAuLi4KKiBnbnUv cGFja2FnZXMvcGF0Y2hlcy9sY21zLUNWRS0yMDE2LTEwMTY1LnBhdGNoOiAuLi4gdGhpcy4KKiBn bnUvbG9jYWwubWsgKGRpc3RfcGF0Y2hfREFUQSk6IEFkanVzdC4KKiBnbnUvcGFja2FnZXMvZ2hv c3RzY3JpcHQuc2NtIChsY21zKVtzb3VyY2VdOiBVc2UgcmVuYW1lZCBwYXRjaC4KLS0tCiBnbnUv bG9jYWwubWsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgfCAzICsrLQogZ251L3BhY2thZ2VzL2dob3N0c2NyaXB0LnNjbSAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgMiArLQogLi4uL3tsY21zLWZpeC1vdXQt b2YtYm91bmRzLXJlYWQucGF0Y2ggPT4gbGNtcy1DVkUtMjAxNi0xMDE2NS5wYXRjaH0gIHwgNCAr KystCiAzIGZpbGVzIGNoYW5nZWQsIDYgaW5zZXJ0aW9ucygrKSwgMyBkZWxldGlvbnMoLSkKIHJl bmFtZSBnbnUvcGFja2FnZXMvcGF0Y2hlcy97bGNtcy1maXgtb3V0LW9mLWJvdW5kcy1yZWFkLnBh dGNoID0+IGxjbXMtQ1ZFLTIwMTYtMTAxNjUucGF0Y2h9ICg4NCUpCgpkaWZmIC0tZ2l0IGEvZ251 L2xvY2FsLm1rIGIvZ251L2xvY2FsLm1rCmluZGV4IGFkM2JlNGIxMy4uNjNjOGQ3ZDU4IDEwMDY0 NAotLS0gYS9nbnUvbG9jYWwubWsKKysrIGIvZ251L2xvY2FsLm1rCkBAIC05LDYgKzksNyBAQAog IyBDb3B5cmlnaHQgwqkgMjAxNiBBZG9uYXkgImFkZmVubyIgRmVsaXBlIE5vZ3VlaXJhIDxodHRw czovL2xpYnJlcGxhbmV0Lm9yZy93aWtpL1VzZXI6QWRmZW5vPiA8YWRmZW5vQG9wZW5tYWlsYm94 Lm9yZz4KICMgQ29weXJpZ2h0IMKpIDIwMTYsIDIwMTcgUmljYXJkbyBXdXJtdXMgPHJla2Fkb0Bl bGVwaGx5Lm5ldD4KICMgQ29weXJpZ2h0IMKpIDIwMTYgQmVuIFdvb2Rjcm9mdCA8ZG9udHRydXN0 YmVuQGdtYWlsLmNvbT4KKyMgQ29weXJpZ2h0IMKpIDIwMTYsIDIwMTcgQWxleCBWb25nIDxhbGV4 dm9uZzE5OTVAZ21haWwuY29tPgogIwogIyBUaGlzIGZpbGUgaXMgcGFydCBvZiBHTlUgR3VpeC4K ICMKQEAgLTY1NCw3ICs2NTUsNyBAQCBkaXN0X3BhdGNoX0RBVEEgPQkJCQkJCVwKICAgJUQlL3Bh Y2thZ2VzL3BhdGNoZXMva29ib2RlbHV4ZS1taWRpY29uLXNlZ21lbnRhdGlvbi1mYXVsdC5wYXRj aAlcCiAgICVEJS9wYWNrYWdlcy9wYXRjaGVzL2tvYm9kZWx1eGUtZ3JhcGhpY3Mtd2luZG93LXNp Z25lZC1jaGFyLnBhdGNoCVwKICAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvbGFieS1tYWtlLWluc3Rh bGwucGF0Y2gJCQlcCi0gICVEJS9wYWNrYWdlcy9wYXRjaGVzL2xjbXMtZml4LW91dC1vZi1ib3Vu ZHMtcmVhZC5wYXRjaAlcCisgICVEJS9wYWNrYWdlcy9wYXRjaGVzL2xjbXMtQ1ZFLTIwMTYtMTAx NjUucGF0Y2gJCVwKICAgJUQlL3BhY2thZ2VzL3BhdGNoZXMvbGRjLWRpc2FibGUtdGVzdHMucGF0 Y2gJCQlcCiAgICVEJS9wYWNrYWdlcy9wYXRjaGVzL2xkYy0xLjEuMC1kaXNhYmxlLWRtZC10ZXN0 cy5wYXRjaAlcCiAgICVEJS9wYWNrYWdlcy9wYXRjaGVzL2xkYy0xLjEuMC1kaXNhYmxlLXBob2Jv cy10ZXN0cy5wYXRjaAlcCmRpZmYgLS1naXQgYS9nbnUvcGFja2FnZXMvZ2hvc3RzY3JpcHQuc2Nt IGIvZ251L3BhY2thZ2VzL2dob3N0c2NyaXB0LnNjbQppbmRleCA0YjhlNjIzNDguLjgyNmEyZmMz NyAxMDA2NDQKLS0tIGEvZ251L3BhY2thZ2VzL2dob3N0c2NyaXB0LnNjbQorKysgYi9nbnUvcGFj a2FnZXMvZ2hvc3RzY3JpcHQuc2NtCkBAIC00NSw3ICs0NSw3IEBACiAgICAgICAgICAgICAobWV0 aG9kIHVybC1mZXRjaCkKICAgICAgICAgICAgICh1cmkgKHN0cmluZy1hcHBlbmQgIm1pcnJvcjov L3NvdXJjZWZvcmdlL2xjbXMvbGNtcy8iIHZlcnNpb24KICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIi9sY21zMi0iIHZlcnNpb24gIi50YXIuZ3oiKSkKLSAgICAgICAgICAgIChwYXRj aGVzIChzZWFyY2gtcGF0Y2hlcyAibGNtcy1maXgtb3V0LW9mLWJvdW5kcy1yZWFkLnBhdGNoIikp CisgICAgICAgICAgICAocGF0Y2hlcyAoc2VhcmNoLXBhdGNoZXMgImxjbXMtQ1ZFLTIwMTYtMTAx NjUucGF0Y2giKSkKICAgICAgICAgICAgIChzaGEyNTYgKGJhc2UzMgogICAgICAgICAgICAgICAg ICAgICAgIjA4cHZsMjg5ZzBtYnpueng1bDZpYmhhbGRzZ3g0MWt3dmRuMmM5NzRnYTlma2xpMnBs MzYiKSkpKQogICAgKGJ1aWxkLXN5c3RlbSBnbnUtYnVpbGQtc3lzdGVtKQpkaWZmIC0tZ2l0IGEv Z251L3BhY2thZ2VzL3BhdGNoZXMvbGNtcy1maXgtb3V0LW9mLWJvdW5kcy1yZWFkLnBhdGNoIGIv Z251L3BhY2thZ2VzL3BhdGNoZXMvbGNtcy1DVkUtMjAxNi0xMDE2NS5wYXRjaApzaW1pbGFyaXR5 IGluZGV4IDg0JQpyZW5hbWUgZnJvbSBnbnUvcGFja2FnZXMvcGF0Y2hlcy9sY21zLWZpeC1vdXQt b2YtYm91bmRzLXJlYWQucGF0Y2gKcmVuYW1lIHRvIGdudS9wYWNrYWdlcy9wYXRjaGVzL2xjbXMt Q1ZFLTIwMTYtMTAxNjUucGF0Y2gKaW5kZXggZDlmN2FjNmEzLi5mYTRkNzVjOWUgMTAwNjQ0Ci0t LSBhL2dudS9wYWNrYWdlcy9wYXRjaGVzL2xjbXMtZml4LW91dC1vZi1ib3VuZHMtcmVhZC5wYXRj aAorKysgYi9nbnUvcGFja2FnZXMvcGF0Y2hlcy9sY21zLUNWRS0yMDE2LTEwMTY1LnBhdGNoCkBA IC0xLDcgKzEsOSBAQAotRml4IGFuIG91dC1vZi1ib3VuZHMgaGVhcCByZWFkIGluIFR5cGVfTUxV X1JlYWQoKToKK0ZpeCBDVkUtMjAxNi0xMDE2NSwgYW4gb3V0LW9mLWJvdW5kcyBoZWFwIHJlYWQg aW4gVHlwZV9NTFVfUmVhZCgpOgogCitodHRwczovL2N2ZS5taXRyZS5vcmcvY2dpLWJpbi9jdmVu YW1lLmNnaT9uYW1lPUNWRS0yMDE2LTEwMTY1CiBodHRwOi8vc2VjbGlzdHMub3JnL29zcy1zZWMv MjAxNi9xMy8yODgKIGh0dHBzOi8vYnVnemlsbGEucmVkaGF0LmNvbS9zaG93X2J1Zy5jZ2k/aWQ9 MTM2NzM1NworaHR0cHM6Ly9zZWN1cml0eS10cmFja2VyLmRlYmlhbi5vcmcvdHJhY2tlci9DVkUt MjAxNi0xMDE2NQogCiBQYXRjaCBjb3BpZWQgZnJvbSB1cHN0cmVhbSBzb3VyY2UgcmVwb3NpdG9y eToKIAotLSAKMi4xMS4xCgo= --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlifKroACgkQxYq4eRf1 Ea4L2hAAt6TN8mLHqECat5PvVqZSK3Hy6CDONA93F1b5mPqCCtO/p883C2kOYRbp sttqfjG0xzNrPIvOtDNUDKUFtWll1y2ZIwRVhZ0o1d5D/v4ac8EmOmL4uxREM8Zc oyoTL0plyKsDqLdFQPfianb5okR1cXBQLTfpV18zH3eK1yQ35R97wMDgsbJCAdNE IKaxER5CEKnTb+u78sfNBHNOkz9c18svUhX8aP0N/oIiKlbutezEBgqAJNv7XUq6 ZzPnyEh7wyqLYR1MkgKvmjzU9Uvtr7qatnVyzsWCO6X3esRxfLD1uI8M3FpBidsz TFsxDvVHkMzOgNFfFOmEEzIlet3cz8Uy4AVDeRHEvLciv5kJ9tXsuqjA3CpbSdcd UjFdtC9q0Dm3lmLMS5lL7APt28ZF6+/u6NjdA351kAwYvPoZE/uFyWrc1llxO9cI EzrHOKBtl4RyRKnsJgdFpKqGS1iX2lukdTr465L05/KGB+3eJnB/9msexgJRC4UZ qlzsf+04JfvH+WIuUfjF7rxuwMosvSYwQVWQqQKkHqK2kzMxpAw3ALSOcKgKpPWh IibbXREWFsPsjhUgDpR2mbgSg1wFw7e1b6Fpa4vyu2lR0K/hMg6axg9K1gtyRLz4 dQHQ067/DG+kUt4mdvpEegTKhDeyT6xhH6xUZhzTNhSIeEeFz0I= =1rvM -----END PGP SIGNATURE----- --==-=-=--