From: Efraim Flashner <efraim@flashner.co.il>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
Date: Sun, 11 Dec 2016 09:55:58 +0200 [thread overview]
Message-ID: <20161211075558.GA24892@macbook42.flashner.co.il> (raw)
In-Reply-To: <20161211060214.GA30740@jasmine>
[-- Attachment #1: Type: text/plain, Size: 1900 bytes --]
On Sun, Dec 11, 2016 at 01:02:14AM -0500, Leo Famulari wrote:
> On Sat, Dec 10, 2016 at 08:03:24PM +0000, Efraim Flashner wrote:
> > efraim pushed a commit to branch master
> > in repository guix.
> >
> > commit a304b6c362dcfadfaa2cfe2a67f5e948f247fd51
> > Author: Efraim Flashner <efraim@flashner.co.il>
> > Date: Sat Dec 10 21:45:29 2016 +0200
> >
> > gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
> >
> > * gnu/packages/image.scm (openjpeg)[replacement]: New field.
> > (openjpeg/fixed): New variable, patch against CVE-2016-9850,
> > CVE-2016-9851.
> > * gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Register it.
>
> I think this patch should have been sent to guix-devel for review.
>
> The patches are from a 3rd-party repository. The author does seem to
> have a relationship to the OpenJPEG project (from past commits), but
> nobody else from OpenJPEG commented on these changes yet:
>
> https://github.com/uclouvain/openjpeg/issues/871
> https://github.com/uclouvain/openjpeg/issues/872
> https://github.com/uclouvain/openjpeg/pull/873/files
You're right, I should've been more careful with that.
>
> While poking around, I noticed there is a newer OpenJPEG release
> (2.1.2), and a bunch of recent bugs:
>
> https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg
>
> Especial CVE-2016-8332:
>
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8332
>
Good catch, I noticed that there was a newer version, but for some
reason I never even thought to use the newer release as the base for the
replacement.
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2016-12-11 7:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20161210200323.4764.51747@vcs.savannah.gnu.org>
[not found] ` <20161210200324.4B8C12201B9@vcs.savannah.gnu.org>
2016-12-11 6:02 ` 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851} Leo Famulari
2016-12-11 7:13 ` Leo Famulari
2016-12-11 7:55 ` Efraim Flashner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161211075558.GA24892@macbook42.flashner.co.il \
--to=efraim@flashner.co.il \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.