[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: v2: OpenJPEG security fixes (CVE-2016-{5157,7163})
From: |
Ludovic Courtès |
Subject: |
Re: v2: OpenJPEG security fixes (CVE-2016-{5157,7163}) |
Date: |
Sat, 10 Sep 2016 00:34:39 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
Leo Famulari <address@hidden> skribis:
> On Fri, Sep 09, 2016 at 02:04:58PM -0400, Leo Famulari wrote:
>> Also, the fix for CVE-2016-5157 does not apply to openjpeg-2.0. I'd like
>> to investigate this issue separately. The only user of openjpeg-2.0 is
>> mupdf.
>
> I think the best thing to do is update mupdf to the latest upstream
> release, 1.9a, make it use address@hidden, and remove openjpeg-2.0.
Yes, even better.
> Please see attached. These patches should be applied on top of the
> patches in the email that I am replying to.
The patches in question LGTM.
> From a357edf0f568acf937f2cd9f0e97269221aee3f2 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Fri, 9 Sep 2016 16:08:02 -0400
> Subject: [PATCH 1/2] gnu: mupdf: Update to 1.9a.
>
> * gnu/packages/pdf.scm (mupdf): Update to 1.9a.
> [source]: Use "mupdf-build-with-openjpeg-2.1.patch". Adjust snippet to
> preserve bundled 'thirdparty/mujs'.
> [inputs]: Add harfbuzz. Replace openjpeg-2.0 with openjpeg.
> * gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
[...]
> From 8c201fd0392bee804bf11f7c07f4817e3766becd Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Fri, 9 Sep 2016 16:24:12 -0400
> Subject: [PATCH 2/2] gnu: Remove openjpeg-2.0.
>
> * gnu/packages/image.scm (openjpeg-2.0): Remove variable.
OK as well.
Thank you for handling this nicely!
Ludo’.
- [PATCH 0/2] OpenJPEG security fixes (CVE-2016-{5157,7163}), Leo Famulari, 2016/09/09
- [PATCH 2/2] gnu: openjpeg-2.*: Fix CVE-2016-5157., Leo Famulari, 2016/09/09
- Re: [PATCH 0/2] OpenJPEG security fixes (CVE-2016-{5157,7163}), Efraim Flashner, 2016/09/09
- v2: OpenJPEG security fixes (CVE-2016-{5157,7163}), Leo Famulari, 2016/09/09