On Fri, Sep 09, 2016 at 02:04:58PM -0400, Leo Famulari wrote:
> Also, the fix for CVE-2016-5157 does not apply to openjpeg-2.0. I'd like
> to investigate this issue separately. The only user of openjpeg-2.0 is
> mupdf.

I think the best thing to do is update mupdf to the latest upstream
release, 1.9a, make it use openjpeg@2.1, and remove openjpeg-2.0.

Please see attached. These patches should be applied on top of the
patches in the email that I am replying to.