On Sat, Jan 30, 2016 at 04:20:50PM -0500, Leo Famulari wrote: > I set out to apply the fix for CVE-2016-1867 to jasper and found that > our package had many unpatched CVEs dating back to 2008 [0].
When this is pushed, I will have to remember to add copyright attribution for myself. I forgot to include that. > > Most of these patches are copied from Fedora [1] but the patch for > CVE-2016-1867 is copied from SUSE [2]. > > I copied one non-CVE patch from Fedora because the patch for > CVE-2008-3520 builds on it. > > There are other non-CVE patches in the Fedora tree [1]. Do you think we > should apply any of those as well? > > [0] > https://security-tracker.debian.org/tracker/source-package/jasper > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3520 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4516 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4517 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8137 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8138 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8157 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8158 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9029 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1867 > > [1] > http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/ > > [2] > https://bugzilla.suse.com/show_bug.cgi?id=961886 > > Leo Famulari (1): > gnu: jasper: Add fixes for several security flaws. > > gnu-system.am | 9 + > gnu/packages/image.scm | 13 +- > gnu/packages/patches/jasper-CVE-2008-3520.patch | 931 > +++++++++++++++++++++ > .../jasper-CVE-2011-4516-and-CVE-2011-4517.patch | 31 + > gnu/packages/patches/jasper-CVE-2014-8137.patch | 64 ++ > gnu/packages/patches/jasper-CVE-2014-8138.patch | 21 + > gnu/packages/patches/jasper-CVE-2014-8157.patch | 19 + > gnu/packages/patches/jasper-CVE-2014-8158.patch | 336 ++++++++ > gnu/packages/patches/jasper-CVE-2014-9029.patch | 36 + > gnu/packages/patches/jasper-CVE-2016-1867.patch | 18 + > .../patches/jasper-stepsizes-overflow.patch | 20 + > 11 files changed, 1497 insertions(+), 1 deletion(-) > create mode 100644 gnu/packages/patches/jasper-CVE-2008-3520.patch > create mode 100644 > gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch > create mode 100644 gnu/packages/patches/jasper-CVE-2014-8137.patch > create mode 100644 gnu/packages/patches/jasper-CVE-2014-8138.patch > create mode 100644 gnu/packages/patches/jasper-CVE-2014-8157.patch > create mode 100644 gnu/packages/patches/jasper-CVE-2014-8158.patch > create mode 100644 gnu/packages/patches/jasper-CVE-2014-9029.patch > create mode 100644 gnu/packages/patches/jasper-CVE-2016-1867.patch > create mode 100644 gnu/packages/patches/jasper-stepsizes-overflow.patch > > -- > 2.6.3 > >
