From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:37406) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dLX51-00078f-7g for guix-patches@gnu.org; Thu, 15 Jun 2017 11:53:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dLX4w-0001r8-4s for guix-patches@gnu.org; Thu, 15 Jun 2017 11:53:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:47127) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dLX4w-0001qx-14 for guix-patches@gnu.org; Thu, 15 Jun 2017 11:53:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dLX4v-00014G-QV for guix-patches@gnu.org; Thu, 15 Jun 2017 11:53:01 -0400 Subject: bug#27370: [PATCH] gnu: libtiff: Fix several bugs related to improper codec usage [security fixes]. Resent-To: guix-patches@gnu.org Resent-Message-ID: Date: Thu, 15 Jun 2017 11:52:29 -0400 From: Leo Famulari Message-ID: <20170615155229.GB2932@jasmine.lan> References: <87eful4qiw.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4SFOXa2GPu3tIq4H" Content-Disposition: inline In-Reply-To: <87eful4qiw.fsf@gnu.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27370-done@debbugs.gnu.org --4SFOXa2GPu3tIq4H Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 15, 2017 at 10:13:43AM +0200, Ludovic Court=C3=A8s wrote: > Leo Famulari skribis: >=20 > > Fixes CVE-2014-8128, CVE-2015-7554, CVE-2016-5318, CVE-2016-10095, and > > the other bugs listed in 'libtiff-tiffgetfield-bugs.patch'. > > > > * gnu/packages/patches/libtiff-tiffgetfield-bugs.patch: New file. > > * gnu/local.mk (dist_patch_DATA): Add it. > > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Use it. >=20 > LGTM. =E2=80=98guix lint -c cve=E2=80=99 will keep complaining, but I gu= ess splitting > the patch in one patch per CVE might be hard and not worth the effort. > Thoughts? The long list of bugs has a single root cause and fix, so there is only one patch. > Could you apply them to =E2=80=98core-updates=E2=80=99 as well? Sure, done! --4SFOXa2GPu3tIq4H Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllCrT0ACgkQJkb6MLrK fwh1lw//eNY3MRXSYLBnN5x9ckEioioz7BG/EDrwFO0Y+A9E9RAvwoXQTyTpM5Pu fsWKak64hVbturdww8prrHf0284hOCkO2rJJ5l4KG4JKycLJKb7A838XWM/o6Rfj tIpjbH4ixVQcQR6Y7g9Ba9BKkr8oS5L1WXTErCyNM6TkxGhnlc5UY/tYWcZGYmeC z/mTJAVpJGh4vGq7mKWZ314YFplxSNImKFOptutMEYT+pEDPifTLXmiVXo7KEvMK 7OMV3vti3txnjzNUddC0kSsZ/dzVjierhbG3YZbSIMO4MwI97qgmqXjIIygD/cJ7 8lYTa7PnkvDRC82ShdZcVxWnDL3V/Uo6pddZt0EFmwcVNNk98DFMIfnIrYybRNkn eQuCnR/WFoPIzS2GiJsPD52pO6GDtGb3RafBTu2YvcA7wbMJQwHEuKx5gCgucUoB w1i20D1UWeN82gLbioa9v/fjRBlxqnHstogJWCEE+JmIsurL6s81Ta9DgxLtxjj7 tRU3yiKyDqikbq+DetWxIRimwZAvOWaRVXxkQem57U4KrwjhJbwWxXlvEMI37WmR O1rKxKHTrJvH0eNP7NKK+cYyFUdJFpR2M3RELJaGIT9ugbiTQItka2MQuVHyzofE wZWNFHinNfUTu4Lm0DPGej1d3WT7+ch42RUZgxYuy4VDaCvtKbI= =9eC2 -----END PGP SIGNATURE----- --4SFOXa2GPu3tIq4H--