From mboxrd@z Thu Jan 1 00:00:00 1970 From: Efraim Flashner Subject: Re: cairo CVE-2016-9082 Date: Tue, 29 Nov 2016 09:44:06 +0200 Message-ID: <20161129074406.GE2509@macbook42.flashner.co.il> References: <20161128185211.GC2509@macbook42.flashner.co.il> <20161128193053.GD2509@macbook42.flashner.co.il> <20161129030641.GA22954@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Zrag5V6pnZGjLKiw" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38208) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cBd5v-0000Ps-01 for guix-devel@gnu.org; Tue, 29 Nov 2016 02:44:51 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cBd5r-0000J7-QE for guix-devel@gnu.org; Tue, 29 Nov 2016 02:44:51 -0500 Received: from flashner.co.il ([178.62.234.194]:37788) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cBd5r-0000J1-Ji for guix-devel@gnu.org; Tue, 29 Nov 2016 02:44:47 -0500 Content-Disposition: inline In-Reply-To: <20161129030641.GA22954@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --Zrag5V6pnZGjLKiw Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 28, 2016 at 10:06:41PM -0500, Leo Famulari wrote: > On Mon, Nov 28, 2016 at 09:30:53PM +0200, Efraim Flashner wrote: > > The previous patch somehow stopped working for me, and I was getting > > complaints about unbound variable cairo/fixed, so I rewrote the patch to > > have every cairo use the patch separately. >=20 > Thanks for taking on this tricky bug fix! >=20 > > diff --git a/gnu/packages/patches/cairo-CVE-2016-9082.patch b/gnu/packa= ges/patches/cairo-CVE-2016-9082.patch >=20 > Please add a link to the patch source in the patch file. I know it can > be found in the linked bug report, but it does help readers to be > explicit, in my opinion. >=20 > Otherwise LGTM. >=20 > The patch is not in the cairo repo yet, AFAICT: >=20 > https://cgit.freedesktop.org/cairo/ >=20 > But, Debian did use it: >=20 > https://anonscm.debian.org/cgit/collab-maint/cairo.git/tree/debian/patche= s/07_CVE-2016-9082.patch >=20 > Can you follow the upstream resolution of the bug in case they decide to > use a different patch? sure --=20 Efraim Flashner =D7=90=D7=A4=D7=A8=D7=99=D7=9D = =D7=A4=D7=9C=D7=A9=D7=A0=D7=A8 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --Zrag5V6pnZGjLKiw Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEkVdB/rIvpOM7bo+N9MHTkX6s7pMFAlg9McUACgkQ9MHTkX6s 7pNpAA//WWClEf1kg8kkhESwu8NuxmRZuq76IAZlBp9koZoLmsCfsX62CzbiBXe1 eAtNIj2iecebrZcCaeAbVY7A3XlEAEJOzQqEHYMKrKkGxgvQlnymp3TCbwz1/Bnw S+mcl68cMK+yKYdI+bG/gQzx9QmY90dAFgoXx9HrGXvHMRcZ3rs5k8YGXK53T6pU 00Gj0IOP+stQTKlhZU8HAplkcaGu30GhbKKTqKsrRNM2X5LYaW+/M9IzegOaBwyk 8HCiqPQ84/14Dm2J0A6nJ0Uh66kz4QrfBpeu2akZERoZRKYw5mc/9G/jvVcRrb9b tC5RlSQfgBl4uDaHnjHjvrvDa+TH/rFiTYBYG7TUp5bf2z2lysjUbMT4F0jGdj/0 CSq5LxxkEVAugupzDCkoLknpLCK1dmNFec3Sd1EIo8BVEzwQ6wJBOogSZP0mjNm+ tYgechAOL+L1REu+WXBIUTqAAFjXs8t/fRjcB0ZWeG0op4CqKzemzS7EPKMIoyeU +LLTT6apqf95JGA7SrNZKLlVvyqm7MewksEo1pmjjNsi5WGKYa53Z+slxhdE8aGB vVO7YEIQXT0ufGhLJRHffsxlmxqUU0yuE0fsqGBTxLgt3FDCkSEjUW3OcvvONaoV r4fzu2otrkT0NREGGsb+WVn2M+pAVhwGGG4x1KaBcFU4uiHvpdY= =6bRR -----END PGP SIGNATURE----- --Zrag5V6pnZGjLKiw--