GNU bug report logs - #33924
OpenJPEG security issues

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Sun, 30 Dec 2018 17:43:01 UTC

Severity: normal

Done: Marius Bakke <mbakke <at> fastmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 33924 in the body.
You can then email your comments to 33924 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to bug-guix <at> gnu.org:
bug#33924; Package guix. (Sun, 30 Dec 2018 17:43:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 30 Dec 2018 17:43:03 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: OpenJPEG security issues
Date: Sun, 30 Dec 2018 12:41:50 -0500
[Message part 1 (text/plain, inline)]
There are several open security bugs in our package of OpenJPEG 2.3.0:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg

`guix refresh -l openjpeg` reports that several thousand packages would
need to be rebuilt if we changed OpenJPEG, so we will need to fix these
bugs by cherry-picking the upstream bugfix patches in a grafted
replacement package.

If anyone is interested in doing the work and needs advice, please ask
for help :)

These are the CVE identifiers:

CVE-2017-17479
CVE-2018-5727
CVE-2018-5785
CVE-2018-6616
CVE-2018-7648
CVE-2018-14423
CVE-2018-16375
CVE-2018-16376
CVE-2018-17480
CVE-2018-18088
[signature.asc (application/pgp-signature, inline)]

Reply sent to Marius Bakke <mbakke <at> fastmail.com>:
You have taken responsibility. (Wed, 24 Apr 2019 16:42:01 GMT) Full text and rfc822 format available.

Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Wed, 24 Apr 2019 16:42:02 GMT) Full text and rfc822 format available.

Message #10 received at 33924-done <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <mbakke <at> fastmail.com>
To: Leo Famulari <leo <at> famulari.name>, 33924-done <at> debbugs.gnu.org
Subject: Re: bug#33924: OpenJPEG security issues
Date: Wed, 24 Apr 2019 18:41:39 +0200
[Message part 1 (text/plain, inline)]
Leo Famulari <leo <at> famulari.name> writes:

> There are several open security bugs in our package of OpenJPEG 2.3.0:
>
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openjpeg
>
> `guix refresh -l openjpeg` reports that several thousand packages would
> need to be rebuilt if we changed OpenJPEG, so we will need to fix these
> bugs by cherry-picking the upstream bugfix patches in a grafted
> replacement package.
>
> If anyone is interested in doing the work and needs advice, please ask
> for help :)
>
> These are the CVE identifiers:
>
> CVE-2017-17479
> CVE-2018-5727
> CVE-2018-5785
> CVE-2018-6616
> CVE-2018-7648
> CVE-2018-14423
> CVE-2018-16375
> CVE-2018-16376
> CVE-2018-17480
> CVE-2018-18088

I believe commit 0e2b0b05accdea7c3f016f8483d0ec04021114d3 fixed these.
[signature.asc (application/pgp-signature, inline)]

bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Thu, 23 May 2019 11:24:05 GMT) Full text and rfc822 format available.

This bug report was last modified 4 years and 311 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.