guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: v2: OpenJPEG security fixes (CVE-2016-{5157,7163})

From: Ludovic Courtès
Subject: Re: v2: OpenJPEG security fixes (CVE-2016-{5157,7163})
Date: Sat, 10 Sep 2016 00:34:39 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) 
Leo Famulari <address@hidden> skribis:

> On Fri, Sep 09, 2016 at 02:04:58PM -0400, Leo Famulari wrote:
>> Also, the fix for CVE-2016-5157 does not apply to openjpeg-2.0. I'd like
>> to investigate this issue separately. The only user of openjpeg-2.0 is
>> mupdf.
>
> I think the best thing to do is update mupdf to the latest upstream
> release, 1.9a, make it use address@hidden, and remove openjpeg-2.0.

Yes, even better.

> Please see attached. These patches should be applied on top of the
> patches in the email that I am replying to.

The patches in question LGTM.

> From a357edf0f568acf937f2cd9f0e97269221aee3f2 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Fri, 9 Sep 2016 16:08:02 -0400
> Subject: [PATCH 1/2] gnu: mupdf: Update to 1.9a.
>
> * gnu/packages/pdf.scm (mupdf): Update to 1.9a.
> [source]: Use "mupdf-build-with-openjpeg-2.1.patch". Adjust snippet to
> preserve bundled 'thirdparty/mujs'.
> [inputs]: Add harfbuzz. Replace openjpeg-2.0 with openjpeg.
> * gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.

[...]

> From 8c201fd0392bee804bf11f7c07f4817e3766becd Mon Sep 17 00:00:00 2001
> From: Leo Famulari <address@hidden>
> Date: Fri, 9 Sep 2016 16:24:12 -0400
> Subject: [PATCH 2/2] gnu: Remove openjpeg-2.0.
>
> * gnu/packages/image.scm (openjpeg-2.0): Remove variable.

OK as well.

Thank you for handling this nicely!

Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]