From: ludo@gnu.org (Ludovic Courtès)
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org
Subject: Re: v2: OpenJPEG security fixes (CVE-2016-{5157,7163})
Date: Sat, 10 Sep 2016 00:34:39 +0200 [thread overview]
Message-ID: <8760q4r9c0.fsf@gnu.org> (raw)
In-Reply-To: <20160909202639.GA2000@jasmine> (Leo Famulari's message of "Fri, 9 Sep 2016 16:26:39 -0400")
Leo Famulari <leo@famulari.name> skribis:
> On Fri, Sep 09, 2016 at 02:04:58PM -0400, Leo Famulari wrote:
>> Also, the fix for CVE-2016-5157 does not apply to openjpeg-2.0. I'd like
>> to investigate this issue separately. The only user of openjpeg-2.0 is
>> mupdf.
>
> I think the best thing to do is update mupdf to the latest upstream
> release, 1.9a, make it use openjpeg@2.1, and remove openjpeg-2.0.
Yes, even better.
> Please see attached. These patches should be applied on top of the
> patches in the email that I am replying to.
The patches in question LGTM.
> From a357edf0f568acf937f2cd9f0e97269221aee3f2 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Fri, 9 Sep 2016 16:08:02 -0400
> Subject: [PATCH 1/2] gnu: mupdf: Update to 1.9a.
>
> * gnu/packages/pdf.scm (mupdf): Update to 1.9a.
> [source]: Use "mupdf-build-with-openjpeg-2.1.patch". Adjust snippet to
> preserve bundled 'thirdparty/mujs'.
> [inputs]: Add harfbuzz. Replace openjpeg-2.0 with openjpeg.
> * gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
[...]
> From 8c201fd0392bee804bf11f7c07f4817e3766becd Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Fri, 9 Sep 2016 16:24:12 -0400
> Subject: [PATCH 2/2] gnu: Remove openjpeg-2.0.
>
> * gnu/packages/image.scm (openjpeg-2.0): Remove variable.
OK as well.
Thank you for handling this nicely!
Ludo’.
next prev parent reply other threads:[~2016-09-09 22:34 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-09 6:04 [PATCH 0/2] OpenJPEG security fixes (CVE-2016-{5157,7163}) Leo Famulari
2016-09-09 6:04 ` [PATCH 1/2] gnu: openjpeg-2.*: Fix CVE-2016-7163 Leo Famulari
2016-09-09 7:15 ` Efraim Flashner
2016-09-09 7:59 ` Leo Famulari
2016-09-09 22:29 ` Ludovic Courtès
2016-09-09 6:04 ` [PATCH 2/2] gnu: openjpeg-2.*: Fix CVE-2016-5157 Leo Famulari
2016-09-09 8:09 ` Leo Famulari
2016-09-09 7:16 ` [PATCH 0/2] OpenJPEG security fixes (CVE-2016-{5157,7163}) Efraim Flashner
2016-09-09 18:04 ` v2: " Leo Famulari
2016-09-09 20:26 ` Leo Famulari
2016-09-09 22:34 ` Ludovic Courtès [this message]
2016-09-10 1:05 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8760q4r9c0.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=guix-devel@gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.