[PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052)

[PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052)

[Leo Famulari]

This patch updates harfbuzz to 1.0.6, fixing CVE-2016-2052 [0].

However, 587 packages depend on harfbuzz [1]. Where should the patch be
applied?

[0]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2052

[1]
Building the following 199 packages would ensure 388 dependent packages 
are rebuilt: avidemux-2.6.10 python-pyqt-5.5 pumpa-0.9.1 
owncloud-client-2.1.0 powertabeditor-2.0.0-alpha8 lxqt-session-0.9.0 
lxqt-common-0.9.1 tiled-0.13.1 bitcoin-core-0.11.0 fritzing-0.9.2b 
i3-wm-4.10.3 xnee-3.19 racket-6.2.1 sawfish-1.11 lxtask-0.1.6 
lxrandr-0.3.0 lxappearance-0.6.1 pcmanfm-1.2.3 
ruby-atoulme-antwrap-0.7.5 htsjdk-1.129 sra-tools-2.5.4 icedtea-1.13.9 
arandr-0.1.8 wicd-1.7.3 gourmet-0.17.4 gajim-0.16.5 pspp-0.8.5 
gpscorrelate-1.6.1.365f6e1b3f pinentry-0.9.6 xournal-0.4.8 
lxterminal-0.2.0 gkrellm-2.3.5 geeqie-1.1 geda-gaf-1.8.2 
dvdisaster-0.72.6 hydrogen-0.9.5.1 qsynth-0.4.0 calf-0.0.60 ir-1.3.2 
gnubik-2.4.2 pcb-20140316 jalv-1.4.6 azr3-1.2.3 patchage-1.0.0 
ardour-4.4 gst-plugins-ugly-1.6.1 guix-0.9.0.f888c0b scribus-1.5.0 
skribilo-0.9.3 a2ps-4.14 emacs-w3m-1.4.538+0.20141022 calibre-2.48.0 
orpheus-1.6 ripperx-2.8.0 emms-4.0 abcde-2.7 cereal-1.1.2 soprano-2.9.4 
vmpk-0.6.2a ncmpc-0.24 mpd-mpc-0.27 mpdscribble-0.22 ncmpcpp-0.6.7 
pidgin-otr-4.0.1 libdbusmenu-qt-0.9.2 libstdc++-doc-5.3.0 
libstdc++-doc-4.9.3 manaplus-1.6.1.16 love-0.10.0 wayland-1.9.0 
fish-2.2.0 openbox-3.5.2 gmtp-1.3.9 tuxguitar-1.2 
conkeror-1.0pre1.20150730 lablgtk-2.18.3 gnubg-1.02 inklingreader-0.8 
gxmessage-3.4.3 zathura-cb-0.1.4 zathura-ps-0.2.2 
zathura-pdf-poppler-0.2.5 zathura-djvu-0.2.4 pavucontrol-3.0 
glade-3.18.3 gnome-keyring-3.18.3 guitarix-0.34.0 devhelp-3.18.1 
hexchat-2.10.1 claws-mail-3.13.2 file-roller-3.16.4 
ibus-libpinyin-1.7.2 yelp-3.16.1 vte-0.36.5 d-feet-0.3.10 xfce-4.12.0 
gsegrafix-1.0.6 libchamplain-0.12.12 tilda-1.3.1 gnome-terminal-3.18.2 
epiphany-3.18.2 evince-3.18.1 gedit-3.18.1 shotwell-0.22.0 
rhythmbox-3.2.1 gnome-session-3.18.1.2 seahorse-3.18.0 
nestopia-ue-1.46.2 gamine-1.4 sfxr-1.2.1 fcitx-4.2.8.6 
transmission-2.84 guile-present-0.3.0 eog-3.18.1 gnome-shell-3.18.3 
gnome-themes-standard-3.18.0 totem-3.18.1 gnome-mines-3.18.2 
key-mon-1.17 gnucash-2.6.9 aisleriot-3.18.2 gnumeric-1.12.24 
gnome-klotski-3.18.2 xboard-4.8.0 fvwm-2.6.5 
guile-emacs-20150512.41120e0 emacs-no-x-toolkit-24.5 hop-2.4.0 
patches-0.0.26d7dbc emacs-debbugs-0.7 emacs-butler-0.2.4 
magit-svn-2.1.1 emacs-typo-1.1 emacs-flycheck-0.23 
emacs-ob-ipython-20150704.8807064693 emacs-auctex-11.88.6 
emacs-undo-tree-0.6.4 abiword-2.8.6 gimp-2.8.14 wesnoth-1.12.4 
mplayer-1.2 obs-0.12.4 cmus-2.7.1 mpd-0.19.10 strigi-0.7.8 
gst-libav-1.6.1 guile-gnunet-0.0.383eac2 retroarch-1.2.2 audacity-2.1.0 
kodi-15.2 gvfs-1.26.2 python-numexpr-2.4.4 python-statsmodels-0.6.1 
python-scikit-learn-0.16.1 python-seaborn-0.5.1 python-h5py-2.4.0 
python-scikit-image-0.11.3 idr-2.0.0 python-biopython-1.66 
python2-ipython-3.2.1 python2-numexpr-2.4.4 libreoffice-5.0.3.2 
rseqc-2.6.1 macs-2.1.0.20140616 seqmagick-0.6.1 crossmap-0.2.1 
python-ipython-3.2.1 python2-statsmodels-0.6.1 
python2-scikit-image-0.11.3 python2-seaborn-0.5.1 couger-1.8.2 
python2-warpedlmm-0.21 deeptools-1.5.11 grit-2.0.2 
pbtranscript-tofu-2.2.3.8f5467fe6 clipper-0.3.0 miso-0.5.3 
asymptote-2.35 proof-general-4.2 unison-2.48.3 fastcap-2.0-18Sep92 
simple-scan-3.17.4 hydra-20150407.4c0e3e4 enblend-enfuse-4.1.3 
wxmaxima-15.04.0 flann-1.8.4 shogun-4.0.0 xsensors-0.70 mpv-0.15.0 
gerbv-2.6.1 frescobaldi-2.18.1 solfege-3.22.2 dunst-1.1.0 
synfigstudio-1.0.2 terminology-0.9.1 emotion-generic-players-1.16.0 

Leo Famulari (1):
  gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].

 gnu/packages/gtk.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-- 
2.6.3

[PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].

[Leo Famulari]

* gnu/packages/gtk.scm (harfbuzz): Update to 1.0.6.
---
 gnu/packages/gtk.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 916873b..3f92d0a 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -145,7 +145,7 @@ affine transformation (scale, rotation, shear, etc.).")
 (define-public harfbuzz
   (package
    (name "harfbuzz")
-   (version "1.0.5")
+   (version "1.0.6")
    (source (origin
              (method url-fetch)
              (uri (string-append "http://www.freedesktop.org/software/"
@@ -153,7 +153,7 @@ affine transformation (scale, rotation, shear, etc.).")
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0h2l362qzkck5dnnj7zlz593hf1ni3k25dfaii9mbjwflp3d56ad"))))
+               "09ivk5m4y09ar4zi9r6db7gp234cy05h0ach7w22g9kqvkxsf5pn"))))
    (build-system gnu-build-system)
    (outputs '("out"
               "bin")) ; 160K, only hb-view depend on cairo
-- 
2.6.3

Re: [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052)

[Efraim Flashner]

[-- Attachment #1: Type: text/plain, Size: 897 bytes --]

On Fri, 29 Jan 2016 01:01:19 -0500
Leo Famulari <leo@famulari.name> wrote:

> This patch updates harfbuzz to 1.0.6, fixing CVE-2016-2052 [0].
> 
> However, 587 packages depend on harfbuzz [1]. Where should the patch be
> applied?
> 
> [0]
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2052
> 
> [1]
> Building the following 199 packages would ensure 388 dependent packages 
> are rebuilt: avidemux-2.6.10 python-pyqt-5.5 pumpa-0.9.1 
[snip]
> Leo Famulari (1):
>   gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].
> 
>  gnu/packages/gtk.scm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 

how about the security-updates branch?

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH 1/1] gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].

[Mark H Weaver]

Leo Famulari <leo@famulari.name> writes:
> * gnu/packages/gtk.scm (harfbuzz): Update to 1.0.6.

I pushed this to the 'security-updates' branch.

     Thanks!
       Mark

Re: [PATCH 0/1] Update harfbuzz to 1.0.6 (CVE-2016-2052)

[Leo Famulari]

On Fri, Jan 29, 2016 at 09:41:45AM +0200, Efraim Flashner wrote:
> On Fri, 29 Jan 2016 01:01:19 -0500
> Leo Famulari <leo@famulari.name> wrote:
> 
> > This patch updates harfbuzz to 1.0.6, fixing CVE-2016-2052 [0].
> > 
> > However, 587 packages depend on harfbuzz [1]. Where should the patch be
> > applied?
> > 
> > [0]
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2052
> > 
> > [1]
> > Building the following 199 packages would ensure 388 dependent packages 
> > are rebuilt: avidemux-2.6.10 python-pyqt-5.5 pumpa-0.9.1 
> [snip]
> > Leo Famulari (1):
> >   gnu: harfbuzz: Update to 1.0.6 [fixes CVE-2016-2052].
> > 
> >  gnu/packages/gtk.scm | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> 
> how about the security-updates branch?

I'm not sure of the status of the branch with respect to Hydra. That is,
is it currently building the branch? If so, is it bad to push to the
branch? I wouldn't mind a little education on this topic!

Other can feel free to push this if appropriate.

> 
> -- 
> Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
> GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
> Confidentiality cannot be guaranteed on emails sent or received unencrypted