From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59920)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dTGOP-0008NR-By
	for guix-patches@gnu.org; Thu, 06 Jul 2017 19:41:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dTGOM-00023u-9c
	for guix-patches@gnu.org; Thu, 06 Jul 2017 19:41:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:52837)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1dTGOM-00023i-53
	for guix-patches@gnu.org; Thu, 06 Jul 2017 19:41:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1dTGOL-0000xK-NF
	for guix-patches@gnu.org; Thu, 06 Jul 2017 19:41:01 -0400
Subject: [bug#27603] [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}.
Resent-Message-ID: <handler.27603.B27603.14993844483646@debbugs.gnu.org>
Date: Thu, 6 Jul 2017 19:40:38 -0400
From: Leo Famulari <leo@famulari.name>
Message-ID: <20170706234038.GB1280@jasmine.lan>
References: <87r2xti4dz.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="8P1HSweYDcXXzwPJ"
Content-Disposition: inline
In-Reply-To: <87r2xti4dz.fsf@gmail.com>
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Alex Vong <alexvong1995@gmail.com>
Cc: 27603@debbugs.gnu.org


--8P1HSweYDcXXzwPJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote:
> * gnu/packages/patches/libtiff-CVE-2017-9936.patch,
>   gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files.
> * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches.
> * gnu/local.mk (dist_patch_DATA): Add them.

> +Patch lifted from upstream source repository (the changes to 'ChangeLog'
> +don't apply to the libtiff 4.0.8 release tarball):
> +
> +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1

This is actually not the upstream source repository. It's a 3rd party
unofficial mirror.

To the chagrin of young packagers everywhere, libtiff is still using
CVS. Unless somebody beats me to it, I'll extract the patches from their
CVS repo later tonight.

--8P1HSweYDcXXzwPJ
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlleynYACgkQJkb6MLrK
fwjOlhAArA43UWfSe8IWbwqa+CReOJe+oJomj/c6lih7FtQgVLsWE96oNy3XI9My
ifMBlrclWpvIzgB0klGTrjkx+mbTw9UAFHvhJsDRnYMbLR30pm4mJ/gXsZ0sSBPt
RxcDj/iI2L6dtRMebDcDoTa6P+a0uFcvev1GhgbzizysiolGi6CXJeMLhEMneLez
DPVa46eJsyaTZz42w5cvaHNMu5IuJ4I+Hn/yuh0aQKjUfzY9FPNri2P/K2hV44jR
gZSYhGc3d0mMhinhL2JyNcJUajYn6ZtmtIvD05QPfQ9j6Hrto81MGqdZwMgENEnU
2VgzUPAlOB/DqqxwFKJObTNjiWiVvkMY5IqXQBxdvJi4mH3fEN9TEQbNbMGq7Xp3
CrwQJ1895IrtJ94p15ICTXE07TOMlgEbL2f5GD0gLbD6amCnuYbeVrlfI3SwCCLM
702WdjCtnnUxEGAqcb5W9QYDF91myq++6r3zvURRzFn81ZScYJkITLRbFssHCXlZ
nVqmUetCGQuM0KYsjJkBB2rvjpqjWX9/+nmgHTlK+nOynN0qTVD93UEkxE3/YTbh
A220leFPEXwYjHFFXMj41n/gFJDJ7IRUL/qwrLjo9PKXCCDm3e+YiY1RT3Hpzkxf
CagVImk6NLuPUEesr8RzvoPKlAfUVn1+dRni7iGIkzl88Vodkm4=
=Lw3H
-----END PGP SIGNATURE-----

--8P1HSweYDcXXzwPJ--