On Sun, Dec 11, 2016 at 01:02:14AM -0500, Leo Famulari wrote:
> On Sat, Dec 10, 2016 at 08:03:24PM +0000, Efraim Flashner wrote:
> > efraim pushed a commit to branch master
> > in repository guix.
> >
> > commit a304b6c362dcfadfaa2cfe2a67f5e948f247fd51
> > Author: Efraim Flashner <efr...@flashner.co.il>
> > Date: Sat Dec 10 21:45:29 2016 +0200
> >
> > gnu: openjpeg: Add fixes for CVE-2016-{9850,9851}.
> >
> > * gnu/packages/image.scm (openjpeg)[replacement]: New field.
> > (openjpeg/fixed): New variable, patch against CVE-2016-9850,
> > CVE-2016-9851.
> > * gnu/packages/patches/openjpeg-CVE-2016-9850-CVE-2016-9851.patch: New
> > file.
> > * gnu/local.mk (dist_patch_DATA): Register it.
>
> I think this patch should have been sent to guix-devel for review.
>
> The patches are from a 3rd-party repository. The author does seem to
> have a relationship to the OpenJPEG project (from past commits), but
> nobody else from OpenJPEG commented on these changes yet:
>
> https://github.com/uclouvain/openjpeg/issues/871
> https://github.com/uclouvain/openjpeg/issues/872
> https://github.com/uclouvain/openjpeg/pull/873/filesYou're right, I should've been more careful with that. > > While poking around, I noticed there is a newer OpenJPEG release > (2.1.2), and a bunch of recent bugs: > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg > > Especial CVE-2016-8332: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8332 > Good catch, I noticed that there was a newer version, but for some reason I never even thought to use the newer release as the base for the replacement. -- Efraim Flashner <efr...@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature
