This patch fixes CVE-2016-9572 and CVE-2016-9573 in OpenJPEG. Notice that the patch is not from the official OpenJPEG repository. I've asked for clarification here:
https://github.com/uclouvain/openjpeg/issues/863#issuecomment-274271277 Debian has applied it to their openjpeg2 2.1.0-2+deb8u2 package (sorry, I can't find a link to their package code; download the tarball and inspect it manually): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851422 https://tracker.debian.org/pkg/openjpeg2 Leo Famulari (1): gnu: openjpeg: Fix CVE-2016-{9572,9573}. gnu/local.mk | 1 + gnu/packages/image.scm | 3 +- .../openjpeg-CVE-2016-9572-CVE-2016-9573.patch | 233 +++++++++++++++++++++ 3 files changed, 236 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/openjpeg-CVE-2016-9572-CVE-2016-9573.patch -- 2.11.0