Bug 212672 - graphics/openjpeg: fix CVE-2016-5157, CVE-2016-7163
Summary: graphics/openjpeg: fix CVE-2016-5157, CVE-2016-7163
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Mark Felder
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-14 00:24 UTC by Piotr Kubaj
Modified: 2016-10-30 09:37 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (sunpoet)
koobs: merge-quarterly+

Attachments
openjpeg patch (6.02 KB, patch)
2016-09-14 00:24 UTC, Piotr Kubaj 		pkubaj: maintainer-approval? (sunpoet)
 Details | Diff
vuxml patch (1.96 KB, patch)
2016-09-14 00:24 UTC, Piotr Kubaj 		pkubaj: maintainer-approval? (ports-secteam)
 Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Piotr Kubaj freebsd_committer freebsd_triage 2016-09-14 00:24:12 UTC 
Created attachment 174758 [details]
openjpeg patch

The attached patch fixes two CVE's:
http://www.openwall.com/lists/oss-security/2016/09/08/2
http://www.openwall.com/lists/oss-security/2016/09/08/3

It builds fine on Poudriere with FreeBSD 10.3.
Comment 1 Piotr Kubaj freebsd_committer freebsd_triage 2016-09-14 00:24:40 UTC 
Created attachment 174759 [details]
vuxml patch
Comment 2 commit-hook freebsd_committer freebsd_triage 2016-10-11 15:08:23 UTC 
A commit references this bug:

Author: feld
Date: Tue Oct 11 15:07:54 UTC 2016
New revision: 423769
URL: https://svnweb.freebsd.org/changeset/ports/423769

Log:
  Document openjpeg vulnerability

  PR:		212672
  Security:	CVE-2016-5157
  Security:	CVE-2016-7163

Changes:
  head/security/vuxml/vuln.xml
Comment 3 Mark Felder freebsd_committer freebsd_triage 2016-10-11 15:08:47 UTC 
Committed, thanks

Apologies for the delay. Your submission is *greatly* appreciated.
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-10-11 15:13:27 UTC 
A commit references this bug:

Author: feld
Date: Tue Oct 11 15:13:16 UTC 2016
New revision: 423771
URL: https://svnweb.freebsd.org/changeset/ports/423771

Log:
  graphics/openjpeg: Add patches to resolve CVEs

  PR:		212672
  MFH:		2016Q4
  Security:	CVE-2016-5157
  Security:	CVE-2016-7163

Changes:
  head/graphics/openjpeg/Makefile
  head/graphics/openjpeg/files/patch-src_lib_openjp2_pi.c
  head/graphics/openjpeg/files/patch-src_lib_openjp2_tcd.c
  head/graphics/openjpeg/files/patch-tests_compare__dump__files.c
  head/graphics/openjpeg/files/patch-tests_nonregression_test__suite.ctest.in
Comment 5 commit-hook freebsd_committer freebsd_triage 2016-10-11 15:14:29 UTC 
A commit references this bug:

Author: feld
Date: Tue Oct 11 15:14:21 UTC 2016
New revision: 423772
URL: https://svnweb.freebsd.org/changeset/ports/423772

Log:
  MFH: r423771

  graphics/openjpeg: Add patches to resolve CVEs

  PR:		212672
  Security:	CVE-2016-5157
  Security:	CVE-2016-7163

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/graphics/openjpeg/Makefile
  branches/2016Q4/graphics/openjpeg/files/patch-src_lib_openjp2_pi.c
  branches/2016Q4/graphics/openjpeg/files/patch-src_lib_openjp2_tcd.c
  branches/2016Q4/graphics/openjpeg/files/patch-tests_compare__dump__files.c
  branches/2016Q4/graphics/openjpeg/files/patch-tests_nonregression_test__suite.ctest.in
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2016-10-30 09:37:55 UTC 
Correctly set merge-quarterly