On Sat, Dec 10, 2016 at 08:03:24PM +0000, Efraim Flashner wrote:
> efraim pushed a commit to branch master
> in repository guix.
>
> commit a304b6c362dcfadfaa2cfe2a67f5e948f247fd51
> Author: Efraim Flashner <efr...@flashner.co.il>
> Date: Sat Dec 10 21:45:29 2016 +0200
>
> gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
>
> * gnu/packages/image.scm (openjpeg)[replacement]: New field.
> (openjpeg/fixed): New variable, patch against CVE-2016-9850,
> CVE-2016-9851.
> * gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch: New
> file.
> * gnu/local.mk (dist_patch_DATA): Register it.
I think this patch should have been sent to guix-devel for review.
The patches are from a 3rd-party repository. The author does seem to
have a relationship to the OpenJPEG project (from past commits), but
nobody else from OpenJPEG commented on these changes yet:
https://github.com/uclouvain/openjpeg/issues/871
https://github.com/uclouvain/openjpeg/issues/872
https://github.com/uclouvain/openjpeg/pull/873/files
While poking around, I noticed there is a newer OpenJPEG release
(2.1.2), and a bunch of recent bugs:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg
Especial CVE-2016-8332:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8332
