all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: Re: [PATCH 0/1] Fix many jasper CVEs
Date: Sat, 30 Jan 2016 18:00:58 -0500	[thread overview]
Message-ID: <20160130230058.GA30065@jasmine> (raw)
In-Reply-To: <cover.1454188449.git.leo@famulari.name>

On Sat, Jan 30, 2016 at 04:20:50PM -0500, Leo Famulari wrote:
> I set out to apply the fix for CVE-2016-1867 to jasper and found that
> our package had many unpatched CVEs dating back to 2008 [0].

When this is pushed, I will have to remember to add copyright
attribution for myself. I forgot to include that.

> 
> Most of these patches are copied from Fedora [1] but the patch for
> CVE-2016-1867 is copied from SUSE [2].
> 
> I copied one non-CVE patch from Fedora because the patch for
> CVE-2008-3520 builds on it.
> 
> There are other non-CVE patches in the Fedora tree [1]. Do you think we
> should apply any of those as well?
> 
> [0]
> https://security-tracker.debian.org/tracker/source-package/jasper
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8157
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8158 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1867
> 
> [1]
> http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/
> 
> [2]
> https://bugzilla.suse.com/show_bug.cgi?id=961886
> 
> Leo Famulari (1):
>   gnu: jasper: Add fixes for several security flaws.
> 
>  gnu-system.am                                      |   9 +
>  gnu/packages/image.scm                             |  13 +-
>  gnu/packages/patches/jasper-CVE-2008-3520.patch    | 931 +++++++++++++++++++++
>  .../jasper-CVE-2011-4516-and-CVE-2011-4517.patch   |  31 +
>  gnu/packages/patches/jasper-CVE-2014-8137.patch    |  64 ++
>  gnu/packages/patches/jasper-CVE-2014-8138.patch    |  21 +
>  gnu/packages/patches/jasper-CVE-2014-8157.patch    |  19 +
>  gnu/packages/patches/jasper-CVE-2014-8158.patch    | 336 ++++++++
>  gnu/packages/patches/jasper-CVE-2014-9029.patch    |  36 +
>  gnu/packages/patches/jasper-CVE-2016-1867.patch    |  18 +
>  .../patches/jasper-stepsizes-overflow.patch        |  20 +
>  11 files changed, 1497 insertions(+), 1 deletion(-)
>  create mode 100644 gnu/packages/patches/jasper-CVE-2008-3520.patch
>  create mode 100644 gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch
>  create mode 100644 gnu/packages/patches/jasper-CVE-2014-8137.patch
>  create mode 100644 gnu/packages/patches/jasper-CVE-2014-8138.patch
>  create mode 100644 gnu/packages/patches/jasper-CVE-2014-8157.patch
>  create mode 100644 gnu/packages/patches/jasper-CVE-2014-8158.patch
>  create mode 100644 gnu/packages/patches/jasper-CVE-2014-9029.patch
>  create mode 100644 gnu/packages/patches/jasper-CVE-2016-1867.patch
>  create mode 100644 gnu/packages/patches/jasper-stepsizes-overflow.patch
> 
> -- 
> 2.6.3
> 
> 

      parent reply	other threads:[~2016-01-30 23:01 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-01-30 21:20 [PATCH 0/1] Fix many jasper CVEs Leo Famulari
2016-01-30 21:20 ` [PATCH 1/1] gnu: jasper: Add fixes for several security flaws Leo Famulari
2016-01-30 23:00 ` Leo Famulari [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160130230058.GA30065@jasmine \
    --to=leo@famulari.name \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.