From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: [PATCH 0/1] Fix many jasper CVEs Date: Sat, 30 Jan 2016 16:20:50 -0500 Message-ID: Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:40626) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aPcx5-0000az-JU for guix-devel@gnu.org; Sat, 30 Jan 2016 16:21:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aPcx2-0006Js-Bf for guix-devel@gnu.org; Sat, 30 Jan 2016 16:21:03 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:44684) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aPcx2-0006Jo-5b for guix-devel@gnu.org; Sat, 30 Jan 2016 16:21:00 -0500 Received: from jasmine.lan (c-69-249-5-231.hsd1.pa.comcast.net [69.249.5.231]) by mail.messagingengine.com (Postfix) with ESMTPA id D77986800E2 for ; Sat, 30 Jan 2016 16:20:57 -0500 (EST) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org I set out to apply the fix for CVE-2016-1867 to jasper and found that our package had many unpatched CVEs dating back to 2008 [0]. Most of these patches are copied from Fedora [1] but the patch for CVE-2016-1867 is copied from SUSE [2]. I copied one non-CVE patch from Fedora because the patch for CVE-2008-3520 builds on it. There are other non-CVE patches in the Fedora tree [1]. Do you think we should apply any of those as well? [0] https://security-tracker.debian.org/tracker/source-package/jasper https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8157 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8158 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1867 [1] http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/ [2] https://bugzilla.suse.com/show_bug.cgi?id=961886 Leo Famulari (1): gnu: jasper: Add fixes for several security flaws. gnu-system.am | 9 + gnu/packages/image.scm | 13 +- gnu/packages/patches/jasper-CVE-2008-3520.patch | 931 +++++++++++++++++++++ .../jasper-CVE-2011-4516-and-CVE-2011-4517.patch | 31 + gnu/packages/patches/jasper-CVE-2014-8137.patch | 64 ++ gnu/packages/patches/jasper-CVE-2014-8138.patch | 21 + gnu/packages/patches/jasper-CVE-2014-8157.patch | 19 + gnu/packages/patches/jasper-CVE-2014-8158.patch | 336 ++++++++ gnu/packages/patches/jasper-CVE-2014-9029.patch | 36 + gnu/packages/patches/jasper-CVE-2016-1867.patch | 18 + .../patches/jasper-stepsizes-overflow.patch | 20 + 11 files changed, 1497 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/jasper-CVE-2008-3520.patch create mode 100644 gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8137.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8138.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8157.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8158.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-9029.patch create mode 100644 gnu/packages/patches/jasper-CVE-2016-1867.patch create mode 100644 gnu/packages/patches/jasper-stepsizes-overflow.patch -- 2.6.3