[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
|
From: |
Leo Famulari |
|
Subject: |
Re: 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}. |
|
Date: |
Sun, 11 Dec 2016 01:02:14 -0500 |
|
User-agent: |
Mutt/1.7.1 (2016-10-04) |
On Sat, Dec 10, 2016 at 08:03:24PM +0000, Efraim Flashner wrote:
> efraim pushed a commit to branch master
> in repository guix.
>
> commit a304b6c362dcfadfaa2cfe2a67f5e948f247fd51
> Author: Efraim Flashner <address@hidden>
> Date: Sat Dec 10 21:45:29 2016 +0200
>
> gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
>
> * gnu/packages/image.scm (openjpeg)[replacement]: New field.
> (openjpeg/fixed): New variable, patch against CVE-2016-9850,
> CVE-2016-9851.
> * gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch: New
> file.
> * gnu/local.mk (dist_patch_DATA): Register it.
I think this patch should have been sent to guix-devel for review.
The patches are from a 3rd-party repository. The author does seem to
have a relationship to the OpenJPEG project (from past commits), but
nobody else from OpenJPEG commented on these changes yet:
https://github.com/uclouvain/openjpeg/issues/871
https://github.com/uclouvain/openjpeg/issues/872
https://github.com/uclouvain/openjpeg/pull/873/files
While poking around, I noticed there is a newer OpenJPEG release
(2.1.2), and a bunch of recent bugs:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg
Especial CVE-2016-8332:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8332
- Re: 03/04: gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.,
Leo Famulari <=