Re: [v2 0/1] Jasper security fixes
Thanks for taking care of it, Leo. Ludo’.
Re: [v2 0/1] Jasper security fixes
On Thu, Feb 04, 2016 at 11:45:38AM +0100, Andreas Enge wrote: > It is a bit frightening that such a package with lots of CVE fixes apparently > is dead upstream (since the patches from 2008 have not been incorporated into > a new release). On the other hand, someone must have written the patches; > is there no new upstream who has taken over? If not, is the software still > useful and unique enough to keep it around? I agree. The upstream developers claims to be responsive [0] but its hard to reconcile that with 9 years of unpatched CVEs. Especially when many of these patches address potential untrusted remote code execution. It seems that sometimes a distro adopts anothers distro's patch, or sometimes writes their own. Every distro is maintaining their own patch quilt. Not good! I haven't found a new upstream for jasper. Thankfully, only Kodi depends on jasper in our tree. I searched my store for other software that might have bundled it and found nothing, but I don't have many programs that would handle JPEGs installed. Perhaps it's possible to use some other JPEG implementation in Kodi and drop jasper. Sadly, there are many packages in our tree, with active upstreams, that are probably just as vulnerable. > > Apart from these more fundamental questions, it looks good to push. Done. [0] http://www.ece.uvic.ca/~frodo/jasper/#faq
Re: [v2 0/1] Jasper security fixes
It is a bit frightening that such a package with lots of CVE fixes apparently is dead upstream (since the patches from 2008 have not been incorporated into a new release). On the other hand, someone must have written the patches; is there no new upstream who has taken over? If not, is the software still useful and unique enough to keep it around? Apart from these more fundamental questions, it looks good to push. Andreas
[v2 0/1] Jasper security fixes
This is the same code as before with minor changes: 1. I realized that the jasper-stepsizes-overflow.patch was btter named jasper-CVE-2007-2721.patch and renamed it. 2. A whitespace fix. 3. I added my name in the copyright stanza. If there are no comments I'll push today, or someone else may push. Leo Famulari (1): gnu: jasper: Add fixes for several security flaws. gnu-system.am | 9 + gnu/packages/image.scm | 14 +- gnu/packages/patches/jasper-CVE-2007-2721.patch| 20 + gnu/packages/patches/jasper-CVE-2008-3520.patch| 931 + .../jasper-CVE-2011-4516-and-CVE-2011-4517.patch | 31 + gnu/packages/patches/jasper-CVE-2014-8137.patch| 64 ++ gnu/packages/patches/jasper-CVE-2014-8138.patch| 21 + gnu/packages/patches/jasper-CVE-2014-8157.patch| 19 + gnu/packages/patches/jasper-CVE-2014-8158.patch| 336 gnu/packages/patches/jasper-CVE-2014-9029.patch| 36 + gnu/packages/patches/jasper-CVE-2016-1867.patch| 18 + 11 files changed, 1498 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/jasper-CVE-2007-2721.patch create mode 100644 gnu/packages/patches/jasper-CVE-2008-3520.patch create mode 100644 gnu/packages/patches/jasper-CVE-2011-4516-and-CVE-2011-4517.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8137.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8138.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8157.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-8158.patch create mode 100644 gnu/packages/patches/jasper-CVE-2014-9029.patch create mode 100644 gnu/packages/patches/jasper-CVE-2016-1867.patch -- 2.6.3
