Bug 212672 - graphics/openjpeg: fix CVE-2016-5157, CVE-2016-7163
Summary: graphics/openjpeg: fix CVE-2016-5157, CVE-2016-7163
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Mark Felder
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-14 00:24 UTC by Piotr Kubaj
Modified: 2016-10-30 09:37 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (sunpoet)
koobs: merge-quarterly+


Attachments
openjpeg patch (6.02 KB, patch)
2016-09-14 00:24 UTC, Piotr Kubaj
pkubaj: maintainer-approval? (sunpoet)
Details | Diff
vuxml patch (1.96 KB, patch)
2016-09-14 00:24 UTC, Piotr Kubaj
pkubaj: maintainer-approval? (ports-secteam)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Piotr Kubaj freebsd_committer 2016-09-14 00:24:12 UTC
Created attachment 174758 [details]
openjpeg patch

The attached patch fixes two CVE's:
http://www.openwall.com/lists/oss-security/2016/09/08/2
http://www.openwall.com/lists/oss-security/2016/09/08/3

It builds fine on Poudriere with FreeBSD 10.3.
Comment 1 Piotr Kubaj freebsd_committer 2016-09-14 00:24:40 UTC
Created attachment 174759 [details]
vuxml patch
Comment 2 commit-hook freebsd_committer 2016-10-11 15:08:23 UTC
A commit references this bug:

Author: feld
Date: Tue Oct 11 15:07:54 UTC 2016
New revision: 423769
URL: https://svnweb.freebsd.org/changeset/ports/423769

Log:
  Document openjpeg vulnerability

  PR:		212672
  Security:	CVE-2016-5157
  Security:	CVE-2016-7163

Changes:
  head/security/vuxml/vuln.xml
Comment 3 Mark Felder freebsd_committer 2016-10-11 15:08:47 UTC
Committed, thanks

Apologies for the delay. Your submission is *greatly* appreciated.
Comment 4 commit-hook freebsd_committer 2016-10-11 15:13:27 UTC
A commit references this bug:

Author: feld
Date: Tue Oct 11 15:13:16 UTC 2016
New revision: 423771
URL: https://svnweb.freebsd.org/changeset/ports/423771

Log:
  graphics/openjpeg: Add patches to resolve CVEs

  PR:		212672
  MFH:		2016Q4
  Security:	CVE-2016-5157
  Security:	CVE-2016-7163

Changes:
  head/graphics/openjpeg/Makefile
  head/graphics/openjpeg/files/patch-src_lib_openjp2_pi.c
  head/graphics/openjpeg/files/patch-src_lib_openjp2_tcd.c
  head/graphics/openjpeg/files/patch-tests_compare__dump__files.c
  head/graphics/openjpeg/files/patch-tests_nonregression_test__suite.ctest.in
Comment 5 commit-hook freebsd_committer 2016-10-11 15:14:29 UTC
A commit references this bug:

Author: feld
Date: Tue Oct 11 15:14:21 UTC 2016
New revision: 423772
URL: https://svnweb.freebsd.org/changeset/ports/423772

Log:
  MFH: r423771

  graphics/openjpeg: Add patches to resolve CVEs

  PR:		212672
  Security:	CVE-2016-5157
  Security:	CVE-2016-7163

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2016Q4/
  branches/2016Q4/graphics/openjpeg/Makefile
  branches/2016Q4/graphics/openjpeg/files/patch-src_lib_openjp2_pi.c
  branches/2016Q4/graphics/openjpeg/files/patch-src_lib_openjp2_tcd.c
  branches/2016Q4/graphics/openjpeg/files/patch-tests_compare__dump__files.c
  branches/2016Q4/graphics/openjpeg/files/patch-tests_nonregression_test__suite.ctest.in
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2016-10-30 09:37:55 UTC
Correctly set merge-quarterly