Leo Famulari <l...@famulari.name> skribis: > On Fri, Sep 09, 2016 at 02:04:58PM -0400, Leo Famulari wrote: >> Also, the fix for CVE-2016-5157 does not apply to openjpeg-2.0. I'd like >> to investigate this issue separately. The only user of openjpeg-2.0 is >> mupdf. > > I think the best thing to do is update mupdf to the latest upstream > release, 1.9a, make it use openjpeg@2.1, and remove openjpeg-2.0.
Yes, even better. > Please see attached. These patches should be applied on top of the > patches in the email that I am replying to. The patches in question LGTM. > From a357edf0f568acf937f2cd9f0e97269221aee3f2 Mon Sep 17 00:00:00 2001 > From: Leo Famulari <l...@famulari.name> > Date: Fri, 9 Sep 2016 16:08:02 -0400 > Subject: [PATCH 1/2] gnu: mupdf: Update to 1.9a. > > * gnu/packages/pdf.scm (mupdf): Update to 1.9a. > [source]: Use "mupdf-build-with-openjpeg-2.1.patch". Adjust snippet to > preserve bundled 'thirdparty/mujs'. > [inputs]: Add harfbuzz. Replace openjpeg-2.0 with openjpeg. > * gnu/packages/patches/mupdf-build-with-openjpeg-2.1.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. [...] > From 8c201fd0392bee804bf11f7c07f4817e3766becd Mon Sep 17 00:00:00 2001 > From: Leo Famulari <l...@famulari.name> > Date: Fri, 9 Sep 2016 16:24:12 -0400 > Subject: [PATCH 2/2] gnu: Remove openjpeg-2.0. > > * gnu/packages/image.scm (openjpeg-2.0): Remove variable. OK as well. Thank you for handling this nicely! Ludo’.
