From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: Re: [PATCH 0/2] OpenJPEG security fixes (CVE-2016-{5157,7163}) Date: Fri, 9 Sep 2016 10:16:47 +0300 Message-ID: <20160909071647.GB5507@macbook42.flashner.co.il> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Fba/0zbH8Xs+Fj9o" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39724) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1biG3X-0007he-Si for guix-devel@gnu.org; Fri, 09 Sep 2016 03:17:00 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1biG3T-0001rh-L4 for guix-devel@gnu.org; Fri, 09 Sep 2016 03:16:58 -0400 Received: from flashner.co.il ([178.62.234.194]:37449) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1biG3T-0001p7-DX for guix-devel@gnu.org; Fri, 09 Sep 2016 03:16:55 -0400 Content-Disposition: inline In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --Fba/0zbH8Xs+Fj9o Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 09, 2016 at 02:04:39AM -0400, Leo Famulari wrote: > Two bugs disclosed in OpenJPEG, CVE-2016-5157 and CVE-2016-7163. Both > can be used to execute arbitrary code, apparently. Ah! my favorite kind of code! Joking aside, why not patch both CVEs at the same time? >=20 > CVE-2016-7163: > http://seclists.org/oss-sec/2016/q3/442 >=20 > CVE-2016-5157: > http://seclists.org/oss-sec/2016/q3/441 >=20 > Leo Famulari (2): > gnu: openjpeg-2.*: Fix CVE-2016-7163. > gnu: openjpeg-2.*: Fix CVE-2016-5157. >=20 > gnu/local.mk | 2 + > gnu/packages/image.scm | 8 +- > gnu/packages/patches/openjpeg-CVE-2016-5157.patch | 98 +++++++++++++++++= ++++++ > gnu/packages/patches/openjpeg-CVE-2016-7163.patch | 71 ++++++++++++++++ > 4 files changed, 177 insertions(+), 2 deletions(-) > create mode 100644 gnu/packages/patches/openjpeg-CVE-2016-5157.patch > create mode 100644 gnu/packages/patches/openjpeg-CVE-2016-7163.patch >=20 > --=20 > 2.10.0 >=20 >=20 --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --Fba/0zbH8Xs+Fj9o Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJX0mHfAAoJEPTB05F+rO6T0XoP/RiGrkLOvA4m4JfLTuEqO2Je ToHZGRVBwqb8zIzRLCGGyttpR2hYOj/vZF5PGfbkmZ/R2LXeWhYkPMQTXelV1o7g ywdxM65yU/mTJcSvlHkNkrKamoW60YcN5fu1ThUrww8fYRUwLxE82XcIloWwiDyC Dgz7NlPhFEILuLfT9Yjpyc9ApeGW6aNUXa+wc7zz1gg8OcK2WNYsET3EBbFC7nGj 7Yd0kZbO5OHoyBhlx8rvwV+hiqPU5++msGONOcmx+Z1iGZXqEnLxZ27dn8yNE79N OeTwjDxL5/6BhNs7LGy7NAN6hXg04OGlLjlK5vdWvuLRR0UZoT62eMxpQ/rzXAEi JAmtu5H3j0+YeOFEhldp6xJIiAQMrj1dDYdEewO3qZUJ3ocXTpSySr06tfRm6EQG m7teN8xDLi7nUCRu63zPNeU+h99iEsJgAUYGAIt3Sr/11ETzFzfsQIj22UJhRUNe cqFekTpD7KamCwPDnz6r+0yGbH+DEpuSYCrGbwWmaMc8whLxvyc6RCDCPfoqeas7 OWuORNYSuaEgzWW2BycfEgu0eOMAxYEXvm1hdsKRxV/QbRYFBIwiN3aRpcjca8sr TY4owPqW3bNxR1vWy/n7AM5SV70/BSmPr8S/xo3+oFuDFAIhEnRaUf1DZfwYrbvE 7d8trd5IS46MqT2+yHIz =xytc -----END PGP SIGNATURE----- --Fba/0zbH8Xs+Fj9o--