Leo Famulari <l...@famulari.name> writes: > * gnu/packages/patches/unrtf-CVE-2016-10091.patch: New file. > * gnu/local.mk (dist_patch_DATA): Add it. > * gnu/packages/unrtf.scm (unrtf)[source]: Use it.
[...] > diff --git a/gnu/packages/patches/unrtf-CVE-2016-10091.patch > b/gnu/packages/patches/unrtf-CVE-2016-10091.patch > new file mode 100644 > index 000000000..0a58b40db > --- /dev/null > +++ b/gnu/packages/patches/unrtf-CVE-2016-10091.patch > @@ -0,0 +1,224 @@ > +Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions): > + > +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091 > +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705 > +http://seclists.org/oss-sec/2016/q4/787 > + > +Patch copied from Debian: > + > +https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=jessie&id=7500a48fb0fbad3ab963fb17560b2f90a8a485c8 > + > +The Debian patch adapts this upstream commit so that it can be applied > +to the 0.21.9 release tarball: > + > +http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406 Isn't the Debian patch the same as this upstream commit? I can't spot the difference with a cursory glance. > +diff --git a/debian/patches/series b/debian/patches/series > +new file mode 100644 > +index 0000000..7868249 > +--- /dev/null > ++++ b/debian/patches/series > +@@ -0,0 +1 @@ > ++0001-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch This part we surely don't need ;-) Unless the Debian patch fixes other issues than upstream revision 3b16893a6406 I would just pick and link to that, skipping the Debian step. WDYT? Thanks for taking care of this!
signature.asc
Description: PGP signature
