From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 07 00:07:35 2017 Received: (at 27603-done) by debbugs.gnu.org; 7 Jul 2017 04:07:35 +0000 Received: from localhost ([127.0.0.1]:55632 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTKYJ-000261-F1 for submit@debbugs.gnu.org; Fri, 07 Jul 2017 00:07:35 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:44141) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dTKYF-00025s-E8 for 27603-done@debbugs.gnu.org; Fri, 07 Jul 2017 00:07:33 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id D9F2220969; Fri, 7 Jul 2017 00:07:27 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Fri, 07 Jul 2017 00:07:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=md/7qPvOGNKrWqQZRdFxt5MDMPRduZfaUlBnqm Lcz1I=; b=syzQjc+l0qmLuU2A83LXLbRTLjbSDLQIzXeDcy1Zq6WauNX70B+7eu KXx3AnabINo+fnnpt6gNSXb/IDPK9bcekCwHtPf/jCkbwGXJSYUqTs3lT2YHSXPq tBUDD3OI1RE2LkJaMUexOQt+Ol1g41OOQRCJhXokaqzgYo0k5/7/E= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=md/7qPvOGNKrWqQZRd Fxt5MDMPRduZfaUlBnqmLcz1I=; b=j76knz9jkxL5Faa1mqasDtwmPjL0FEYTH6 fxrKhokxHfd6cVVd3X95BL1FW4cKjqYU/mbUweL5xr5pbnz/u/uuv7jvW9sRW1ej xBqLZnVY2G3YmCSCklADWdpqZmFc5E0lm8Qs8Kj5F4cMdWUbLI28znvcvTjssUMw wXRvLayaQdb1zwoXHcDiY1nO49aSgALTme5neyQc3ouPYbYgYLWKdpo9GPLvs5vB jpPTOxSz2O+g8xRzoUjBudYfqRtwY4E/i4iRCQBXLOCJ1WBq6TnryqPTaMInPikp +7R2wip/vzX4XImyuKxDH8dDOl9yNg3MpfyqSds3F/5cb2N3IzSg== X-ME-Sender: X-Sasl-enc: VKuM9VsEywZHVeqLZj7IWmH7jAqI62/CZ9DrXs9/JSDn 1499400447 Received: from localhost (pool-108-26-246-73.bstnma.fios.verizon.net [108.26.246.73]) by mail.messagingengine.com (Postfix) with ESMTPA id 9F55E24426; Fri, 7 Jul 2017 00:07:27 -0400 (EDT) Date: Fri, 7 Jul 2017 00:07:26 -0400 From: Leo Famulari To: Alex Vong Subject: Re: [bug#27603] [PATCH] gnu: libtiff: Fix CVE-2017-{9936,10688}. Message-ID: <20170707040726.GA2920@jasmine.lan> References: <87r2xti4dz.fsf@gmail.com> <20170706234038.GB1280@jasmine.lan> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gBBFr7Ir9EOA20Yy" Content-Disposition: inline In-Reply-To: <20170706234038.GB1280@jasmine.lan> User-Agent: Mutt/1.8.3 (2017-05-23) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 27603-done Cc: 27603-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 06, 2017 at 07:40:38PM -0400, Leo Famulari wrote: > On Fri, Jul 07, 2017 at 06:31:36AM +0800, Alex Vong wrote: > > * gnu/packages/patches/libtiff-CVE-2017-9936.patch, > > gnu/packages/patches/libtiff-CVE-2017-10688.patch: New files. > > * gnu/packages/image.scm (libtiff-4.0.8)[source]: Add patches. > > * gnu/local.mk (dist_patch_DATA): Add them. >=20 > > +Patch lifted from upstream source repository (the changes to 'ChangeLo= g' > > +don't apply to the libtiff 4.0.8 release tarball): > > + > > +https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a2= 4dbe74ba1 >=20 > This is actually not the upstream source repository. It's a 3rd party > unofficial mirror. >=20 > To the chagrin of young packagers everywhere, libtiff is still using > CVS. Unless somebody beats me to it, I'll extract the patches from their > CVS repo later tonight. I pushed this as dab536fe1ae5a8775a2b50fa50556445b6ac7818. Thanks for getting it started Alex! --gBBFr7Ir9EOA20Yy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllfCP4ACgkQJkb6MLrK fwgGQA/+KXR7lmE1tacok/GH1AF4nsDWi4nOiW0N9/LI2zqVWFjNqXbxBb0lABBk bhysFayI9H2+TYoZJrupR1blvBdJ9cbIccP7cIdW1FV3N1A/5pcymr3TAzFwODT+ c7vcNn5xx05CqeNlot2CiuffQNAuqfz3WdUGMtkdVQfH6ipSs6b3EyhHgkm2gsau WfgAkNVFCLfO5BuFtfGoHdfedUOTZl21O81NnsujrqgVg2VaXJ412r1oVjWcNRuC IkRTYoETQko6RLwYe/8vcxFc+FUoNVgB+0x9ui1ky3gp//m/GOx54VRFNnNvQe71 tmuBuaF87qmutqOtICYHiyaOuB9nMXctMIfZUYADIvgQqTjt0Xyvp3WOh7INV4sX uUCVnP1cDD1RWFbVcItKoJ3GmITCk9QwV4Eb/vuWb1tpta8ZOSejORA4/2I8HIQt csgpkwzBuLM5I58hSgzlyWh1coVkxx76h8TbKSDFq4tdlToa9GfwwQX8xJqrKX0H A+2/tum0ZhSXtfJWV+hEBXH7nWId5tQzncbZTOJm7jQ+CUn7jc58A1zb7ia4aX/L OW3QiW4uD7Fgpe+H2KvJlNOurRXUu9fmoZcNEv0fQ3wYktxsYsO276ya+lJXsjRf qKI+plDznfB1wcfJuOMpGxbSUU/qoZK3z9AQwga4+NFp+joZgGw= =LknR -----END PGP SIGNATURE----- --gBBFr7Ir9EOA20Yy--