This patch should fix the bugs named here: http://seclists.org/oss-sec/2016/q4/517
I copied Debian's approach, which is to take all the recent patches for the vulnerable component (the FLIC decoder). My understanding is that the first two patches fix the CVEs, the 3rd fixes an unrelated bug, and the 4th is a total rewrite of the component, because "code is terrible, it should be entirely re-written" [0]. The CVE bug fixes are not split into discrete patches, so it doesn't work to make patches for each CVE ID, like we normally do. Is this approach (concatenating the patches) okay? [0] https://bugzilla.gnome.org/show_bug.cgi?id=774859#c1 Leo Famulari (1): gnu: gst-plugins-good: Fix CVE-2016-{9634,9635,9636}. gnu/local.mk | 1 + gnu/packages/gstreamer.scm | 1 + .../gst-plugins-good-flxdec-heap-overflow.patch | 1433 ++++++++++++++++++++ 3 files changed, 1435 insertions(+) create mode 100644 gnu/packages/patches/gst-plugins-good-flxdec-heap-overflow.patch -- 2.10.2
