735598 – media-libs/openimageio depends on vulnerable media-libs/openjpeg:0

Bug 735598 - media-libs/openimageio depends on vulnerable media-libs/openjpeg:0

Summary: media-libs/openimageio depends on vulnerable media-libs/openjpeg:0

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Aisha Tammy

URL:
Whiteboard:
Keywords:

Depends on:	753566 754216
Blocks:	CVE-2018-21010
	Show dependency tree

Reported:	2020-08-02 20:15 UTC by John Helmert III
Modified:	2020-11-13 18:32 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2020-08-02 20:15:34 UTC

media-libs/openimageio is blocking cleanup of media-libs/openjpeg for bug 711260. Can anything be done about the dependency on openjpeg:0?

https://github.com/gentoo/gentoo/pull/16909
https://qa-reports.gentoo.org/output/gentoo-ci/bcba0b96a2/output.html#media-libs/openimageio

Comment 1 Jonas Stein gentoo-dev

2020-08-03 19:24:07 UTC

please ask upstream and link the ticket here.

Comment 2 John Helmert III archtester

2020-09-21 03:34:07 UTC

(In reply to Jonas Stein from comment #1)
> please ask upstream and link the ticket here.

It would appear support has been added in a newer upstream release.

https://github.com/OpenImageIO/oiio/blob/master/CHANGES.md#release-22-1-sept-2020----compared-to-21

Comment 3 Larry the Git Cow gentoo-dev

2020-10-08 21:23:48 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a74a1df3530a8d5abbedef5635d7eeae05310990

commit a74a1df3530a8d5abbedef5635d7eeae05310990
Author:     Aisha Tammy <gentoo@aisha.cc>
AuthorDate: 2020-10-01 11:24:50 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-08 20:16:30 +0000

    media-libs/openimageio: version bump
    
    new maintainer with science
    keyword ppc64 on closing of
    Bug: https://bugs.gentoo.org/746011
    Bug: https://bugs.gentoo.org/746014
    Bug: https://bugs.gentoo.org/745783
    
    Closes: https://bugs.gentoo.org/678294
    Closes: https://bugs.gentoo.org/735598
    
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Aisha Tammy <gentoo@aisha.cc>
    Closes: https://github.com/gentoo/gentoo/pull/17728
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openimageio/Manifest                    |   1 +
 .../files/openimageio-2.2.6.1-pugixml.patch        |  21 ++++
 media-libs/openimageio/metadata.xml                |  10 +-
 media-libs/openimageio/openimageio-2.2.6.1.ebuild  | 139 +++++++++++++++++++++
 4 files changed, 170 insertions(+), 1 deletion(-)

Comment 4 John Helmert III archtester

2020-11-12 19:31:37 UTC

Alright, now all that's left is dropping openimageio 1.8 then this bug can be closed.

Comment 5 Larry the Git Cow gentoo-dev

2020-11-13 18:32:25 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=516a01f278c29e62d641fbc3e39482ec5136d361

commit 516a01f278c29e62d641fbc3e39482ec5136d361
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-11-13 18:32:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-11-13 18:32:17 +0000

    media-libs/openimageio: security cleanup
    
    Closes: https://bugs.gentoo.org/735598
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 media-libs/openimageio/Manifest                    |   2 -
 media-libs/openimageio/metadata.xml                |   1 -
 .../openimageio/openimageio-1.8.17-r2.ebuild       | 134 --------------------
 media-libs/openimageio/openimageio-2.2.7.0.ebuild  | 141 ---------------------
 4 files changed, 278 deletions(-)