From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: [PATCH 0/1] Gst-plugins-good security update
Date: Fri, 25 Nov 2016 02:11:30 -0500
Message-ID: <cover.1480057556.git.leo@famulari.name>
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54227)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cAAfk-0006hO-LR
	for guix-devel@gnu.org; Fri, 25 Nov 2016 02:11:51 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cAAff-0003Bf-MS
	for guix-devel@gnu.org; Fri, 25 Nov 2016 02:11:48 -0500
Received: from out5-smtp.messagingengine.com ([66.111.4.29]:37012)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1cAAff-0003AR-Eq
	for guix-devel@gnu.org; Fri, 25 Nov 2016 02:11:43 -0500
Received: from localhost.localdomain
	(pool-96-252-15-197.bstnma.fios.verizon.net [96.252.15.197])
	by mail.messagingengine.com (Postfix) with ESMTPA id 4A08D7E3FA
	for <guix-devel@gnu.org>; Fri, 25 Nov 2016 02:11:42 -0500 (EST)
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

This patch should fix the bugs named here:

http://seclists.org/oss-sec/2016/q4/517

I copied Debian's approach, which is to take all the recent patches for
the vulnerable component (the FLIC decoder).

My understanding is that the first two patches fix the CVEs, the 3rd
fixes an unrelated bug, and the 4th is a total rewrite of the component,
because "code is terrible, it should be entirely re-written" [0].

The CVE bug fixes are not split into discrete patches, so it doesn't
work to make patches for each CVE ID, like we normally do.

Is this approach (concatenating the patches) okay?

[0]
https://bugzilla.gnome.org/show_bug.cgi?id=774859#c1

Leo Famulari (1):
  gnu: gst-plugins-good: Fix CVE-2016-{9634,9635,9636}.

 gnu/local.mk                                       |    1 +
 gnu/packages/gstreamer.scm                         |    1 +
 .../gst-plugins-good-flxdec-heap-overflow.patch    | 1433 ++++++++++++++++++++
 3 files changed, 1435 insertions(+)
 create mode 100644 gnu/packages/patches/gst-plugins-good-flxdec-heap-overflow.patch

-- 
2.10.2