03/03: gnu: jasper: Patch CVE-2008-3522.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

03/03: gnu: jasper: Patch CVE-2008-3522.

From:	Ludovic Court�s
Subject:	03/03: gnu: jasper: Patch CVE-2008-3522.
Date:	Sat, 28 Nov 2015 15:36:36 +0000

civodul pushed a commit to branch master
in repository guix.

commit f79a576e776eb299af52d60cdd51f4a4f79beee3
Author: Ludovic Courtès <address@hidden>
Date:   Sat Nov 28 16:29:11 2015 +0100

    gnu: jasper: Patch CVE-2008-3522.
    
    * gnu/packages/patches/jasper-CVE-2008-3522.patch: New file.
    * gnu/packages/image.scm (jasper)[source]: Use it.
    * gnu-system.am (dist_patch_DATA): Add it.
---
 gnu-system.am                                   |    1 +
 gnu/packages/image.scm                          |    3 ++-
 gnu/packages/patches/jasper-CVE-2008-3522.patch |   14 ++++++++++++++
 3 files changed, 17 insertions(+), 1 deletions(-)

diff --git a/gnu-system.am b/gnu-system.am
index f69645b..e6af49b 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -535,6 +535,7 @@ dist_patch_DATA =                                           
\
   gnu/packages/patches/icu4c-CVE-2015-4760.patch               \
   gnu/packages/patches/imagemagick-test-segv.patch             \
   gnu/packages/patches/irrlicht-mesa-10.patch                  \
+  gnu/packages/patches/jasper-CVE-2008-3522.patch              \
   gnu/packages/patches/jbig2dec-ignore-testtest.patch          \
   gnu/packages/patches/julia-0.3.10-fix-empty-array.patch      \
   gnu/packages/patches/kmod-module-directory.patch             \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 8a4a42a..f3f89f6 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -714,7 +714,8 @@ convert, manipulate, filter and display a wide variety of 
image formats.")
                                   "/software/jasper-" version ".zip"))
               (sha256
                (base32
-                "154l7zk7yh3v8l2l6zm5s2alvd2fzkp6c9i18iajfbna5af5m43b"))))
+                "154l7zk7yh3v8l2l6zm5s2alvd2fzkp6c9i18iajfbna5af5m43b"))
+              (patches (list (search-patch "jasper-CVE-2008-3522.patch")))))
     (build-system gnu-build-system)
     (native-inputs
      `(("unzip" ,unzip)))
diff --git a/gnu/packages/patches/jasper-CVE-2008-3522.patch 
b/gnu/packages/patches/jasper-CVE-2008-3522.patch
new file mode 100644
index 0000000..10cfec9
--- /dev/null
+++ b/gnu/packages/patches/jasper-CVE-2008-3522.patch
@@ -0,0 +1,14 @@
+Fix CVE-2008-3522 (buffer overflow in 'jas_stream_printf').
+Patch from <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3522>.
+
+--- jasper-1.900.1/src/libjasper/base/jas_stream.c     2008-09-08 
14:56:01.000000000 +0200
++++ jasper-1.900.1/src/libjasper/base/jas_stream.c     2008-09-08 
14:58:16.000000000 +0200
+@@ -553,7 +553,7 @@ int jas_stream_printf(jas_stream_t *stre
+       int ret;
+ 
+       va_start(ap, fmt);
+-      ret = vsprintf(buf, fmt, ap);
++      ret = vsnprintf(buf, sizeof buf, fmt, ap);
+       jas_stream_puts(stream, buf);
+       va_end(ap);
+       return ret;

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (ae4427e -> f79a576), Ludovic Court�s, 2015/11/28
- 02/03: lint: Do not report already-patched vulnerabilities., Ludovic Court�s, 2015/11/28
- 01/03: doc: Mention 'specification->package'., Ludovic Court�s, 2015/11/28
- 03/03: gnu: jasper: Patch CVE-2008-3522., Ludovic Court�s <=

Prev by Date: 01/03: doc: Mention 'specification->package'.
Next by Date: branch core-updates updated (90c59e9 -> e946b60)
Previous by thread: 01/03: doc: Mention 'specification->package'.
Next by thread: branch core-updates updated (90c59e9 -> e946b60)
Index(es):
- Date
- Thread