[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 0/1] Gst-plugins-good security update
|
From: |
Leo Famulari |
|
Subject: |
[PATCH 0/1] Gst-plugins-good security update |
|
Date: |
Fri, 25 Nov 2016 02:11:30 -0500 |
This patch should fix the bugs named here:
http://seclists.org/oss-sec/2016/q4/517
I copied Debian's approach, which is to take all the recent patches for
the vulnerable component (the FLIC decoder).
My understanding is that the first two patches fix the CVEs, the 3rd
fixes an unrelated bug, and the 4th is a total rewrite of the component,
because "code is terrible, it should be entirely re-written" [0].
The CVE bug fixes are not split into discrete patches, so it doesn't
work to make patches for each CVE ID, like we normally do.
Is this approach (concatenating the patches) okay?
[0]
https://bugzilla.gnome.org/show_bug.cgi?id=774859#c1
Leo Famulari (1):
gnu: gst-plugins-good: Fix CVE-2016-{9634,9635,9636}.
gnu/local.mk | 1 +
gnu/packages/gstreamer.scm | 1 +
.../gst-plugins-good-flxdec-heap-overflow.patch | 1433 ++++++++++++++++++++
3 files changed, 1435 insertions(+)
create mode 100644
gnu/packages/patches/gst-plugins-good-flxdec-heap-overflow.patch
--
2.10.2
- [PATCH 0/1] Gst-plugins-good security update,
Leo Famulari <=