Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 607190 - <app-text/ghostscript-gpl-9.20-r1: Multiple vulnerabilities through bundled media-libs/openjpeg
Summary: <app-text/ghostscript-gpl-9.20-r1: Multiple vulnerabilities through bundled m...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on: CVE-2016-7976, CVE-2016-7977, CVE-2016-7978, CVE-2016-7979, CVE-2016-8602
Blocks:
  Show dependency tree
 
Reported: 2017-01-25 15:29 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-02-22 11:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-25 15:29:43 UTC 
app-text/ghostscript-gpl is currently bundling media-libs/openjpeg (ghostscript-gpl-9.19 includes openjpeg-2.1.0).

The package should be affected by most vulnerabilities mentioned in https://security.gentoo.org/glsa/201612-26
Comment 1 Tiziano Müller (RETIRED) gentoo-dev 2017-01-25 17:59:56 UTC 
Unbundling openjpeg seems possible (upstream uses 2.1.0), but `base/lib.mak` needs to be patched to make it build with openjpeg 2.1.1+.

See https://gitweb.gentoo.org/dev/dev-zero.git/commit/?id=9a914722e7c0b19b244088964e8ac876cda50ce4 for a preliminary version bump to 9.20
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-30 00:37:33 UTC 
OpenJPEG was unbundled in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=521a0bbaf9bea07b4c977156bb5cd3efaded1bb4 as part of bug 596576.
Comment 3 Andreas K. Hüttel archtester gentoo-dev 2017-02-21 12:46:17 UTC 
All vulnerable versions have been removed.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-21 18:23:22 UTC 
Added to an existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-02-22 11:25:00 UTC 
This issue was resolved and addressed in
 GLSA 201702-31 at https://security.gentoo.org/glsa/201702-31
by GLSA coordinator Thomas Deutschmann (whissi).