Leo Famulari <leo@famulari.name> writes:

> * gnu/packages/patches/unrtf-CVE-2016-10091.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> * gnu/packages/unrtf.scm (unrtf)[source]: Use it.

[...]

> diff --git a/gnu/packages/patches/unrtf-CVE-2016-10091.patch b/gnu/packages/patches/unrtf-CVE-2016-10091.patch
> new file mode 100644
> index 000000000..0a58b40db
> --- /dev/null
> +++ b/gnu/packages/patches/unrtf-CVE-2016-10091.patch
> @@ -0,0 +1,224 @@
> +Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions):
> +
> +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091
> +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705
> +http://seclists.org/oss-sec/2016/q4/787
> +
> +Patch copied from Debian:
> +
> +https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=jessie&id=7500a48fb0fbad3ab963fb17560b2f90a8a485c8
> +
> +The Debian patch adapts this upstream commit so that it can be applied
> +to the 0.21.9 release tarball:
> +
> +http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406

Isn't the Debian patch the same as this upstream commit? I can't spot
the difference with a cursory glance.


> +diff --git a/debian/patches/series b/debian/patches/series
> +new file mode 100644
> +index 0000000..7868249
> +--- /dev/null
> ++++ b/debian/patches/series
> +@@ -0,0 +1 @@
> ++0001-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch

This part we surely don't need ;-)

Unless the Debian patch fixes other issues than upstream revision
3b16893a6406 I would just pick and link to that, skipping the Debian
step. WDYT?

Thanks for taking care of this!