2017-11-25 2:13 GMT-02:00 Paul Wise <p...@debian.org>: > On Fri, Nov 24, 2017 at 9:33 PM, Ian Jackson wrote: > >> Can't you find a copy of the configure.ac somewhere ? If not, you may >> be able to reconstruct one. Skimreading the configure script suggests >> that wouldn't be too hard.
Thanks Ian, At first glance, creating a new configure.ac seems a bit hard. I already made some configure.ac for some projects. However, I am not the upstream and it is a complicating factor. I will try make something. > It looks like the jpeg-6b-steg is a modified embedded code copy of > libjpeg6b. outguess upstream really should send their patches in > jpeg-6b-steg.diff to libjpeg upstream and remove the copy. I expect > that outguess is probably vulnerable to the various libjpeg CVEs that > have been released over the years. > > Looking at the unmodified source code, libjpeg upstream didn't release > their configure.ac file until libjpeg7: > > http://ijg.org/files/jpegsrc.v6b.tar.gz > http://ijg.org/files/jpegsrc.v7.tar.gz Thanks a lot Paul. It is a good catch. > So I think what needs to happen here is that outguess needs a proper > upstream project to exist and be active, remove the embedded code copy > and port the diff to a newer libjpeg and upstream that and then get > that uploaded to Debian. I agree. Cheers, Eriberto
