Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library

public inbox for cygwin-apps@cygwin.com
 help / color / mirror / Atom feed

* Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library
       [not found] <announce.vriv4m1gi57u.fsf@volkerzell.de>
@ 2017-01-12 20:26 ` Yaakov Selkowitz
  2017-01-18 12:12   ` Dr. Volker Zell
  0 siblings, 1 reply; 6+ messages in thread
From: Yaakov Selkowitz @ 2017-01-12 20:26 UTC (permalink / raw)
  To: cygwin-apps

On 2017-01-03 08:32, Dr. Volker Zell wrote:
> New versions of 'jasper/libjasper1/libjasper-devel' have been uploaded to a server near you.
>
>  o Build for cygwin 2.6.1 with gcc-5.4.0
>  o Update to latest version before ABI bump

Not really; the fix therein for CVE-2015-5203 broke ABI on 64-bit 
systems by changing the size of an existing member of a public struct 
(int to size_t), just that they neglected to bump the ABI version until 
afterwards:

https://github.com/mdadams/jasper/issues/84

For compatibility with packages currently linked with libjasper1, this 
needs to be reverted in part.  Here is what Fedora is currently shipping 
on stable branches:

http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/?h=f25

Then, we could update to 1.900.29, or even 2.0.10 -- which should 
provide libjasper4 -- against which all jasper-dependent packages would 
then have to be rebuilt.

-- 
Yaakov

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library
  2017-01-12 20:26 ` Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library Yaakov Selkowitz
@ 2017-01-18 12:12   ` Dr. Volker Zell
  2017-02-22 19:53     ` Yaakov Selkowitz
  0 siblings, 1 reply; 6+ messages in thread
From: Dr. Volker Zell @ 2017-01-18 12:12 UTC (permalink / raw)
  To: cygwin-apps

On 12.01.2017 21:26, Yaakov Selkowitz wrote:
> On 2017-01-03 08:32, Dr. Volker Zell wrote:
>> New versions of 'jasper/libjasper1/libjasper-devel' have been uploaded
>> to a server near you.
>>
>>  o Build for cygwin 2.6.1 with gcc-5.4.0
>>  o Update to latest version before ABI bump
>
> Not really; the fix therein for CVE-2015-5203 broke ABI on 64-bit
> systems by changing the size of an existing member of a public struct
> (int to size_t), just that they neglected to bump the ABI version until
> afterwards:
>
> https://github.com/mdadams/jasper/issues/84
>
> For compatibility with packages currently linked with libjasper1, this
> needs to be reverted in part.  Here is what Fedora is currently shipping
> on stable branches:
>
> http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/?h=f25

Is this the complete current patchset relative to jasper-1.900.1, you 
want me to apply ? How to proceed with the current buggy package. Could 
you just remove it ?

Thanks
   Volker

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library
  2017-01-18 12:12   ` Dr. Volker Zell
@ 2017-02-22 19:53     ` Yaakov Selkowitz
  2017-03-24 19:02       ` Yaakov Selkowitz
  0 siblings, 1 reply; 6+ messages in thread
From: Yaakov Selkowitz @ 2017-02-22 19:53 UTC (permalink / raw)
  To: cygwin-apps

On 2017-01-18 06:11, Dr. Volker Zell wrote:
> On 12.01.2017 21:26, Yaakov Selkowitz wrote:
>> On 2017-01-03 08:32, Dr. Volker Zell wrote:
>>> New versions of 'jasper/libjasper1/libjasper-devel' have been uploaded
>>> to a server near you.
>>>
>>>  o Build for cygwin 2.6.1 with gcc-5.4.0
>>>  o Update to latest version before ABI bump
>>
>> Not really; the fix therein for CVE-2015-5203 broke ABI on 64-bit
>> systems by changing the size of an existing member of a public struct
>> (int to size_t), just that they neglected to bump the ABI version until
>> afterwards:
>>
>> https://github.com/mdadams/jasper/issues/84
>>
>> For compatibility with packages currently linked with libjasper1, this
>> needs to be reverted in part.  Here is what Fedora is currently shipping
>> on stable branches:
>>
>> http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/?h=f25
>
> Is this the complete current patchset relative to jasper-1.900.1, you
> want me to apply ?

No, the details are in the .spec file.  In short, you want 1.900.13 plus 
the jasper-1.900.1-CVE-2008-3520.patch and 
jasper-1.900.13-CVE-2016-9583.patch patches.

Once that's uploaded, then let's proceed with an upgrade to 2.0.10, 
which already has all the fixes along with the ABI version change.

> How to proceed with the current buggy package. Could
> you just remove it ?

Yes, I can do that.

-- 
Yaakov

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library
  2017-02-22 19:53     ` Yaakov Selkowitz
@ 2017-03-24 19:02       ` Yaakov Selkowitz
  2017-05-05 20:37         ` Yaakov Selkowitz
  0 siblings, 1 reply; 6+ messages in thread
From: Yaakov Selkowitz @ 2017-03-24 19:02 UTC (permalink / raw)
  To: cygwin-apps

On 2017-02-22 13:53, Yaakov Selkowitz wrote:
> On 2017-01-18 06:11, Dr. Volker Zell wrote:
>> On 12.01.2017 21:26, Yaakov Selkowitz wrote:
>>> On 2017-01-03 08:32, Dr. Volker Zell wrote:
>>>> New versions of 'jasper/libjasper1/libjasper-devel' have been uploaded
>>>> to a server near you.
>>>>
>>>>  o Build for cygwin 2.6.1 with gcc-5.4.0
>>>>  o Update to latest version before ABI bump
>>>
>>> Not really; the fix therein for CVE-2015-5203 broke ABI on 64-bit
>>> systems by changing the size of an existing member of a public struct
>>> (int to size_t), just that they neglected to bump the ABI version until
>>> afterwards:
>>>
>>> https://github.com/mdadams/jasper/issues/84
>>>
>>> For compatibility with packages currently linked with libjasper1, this
>>> needs to be reverted in part.  Here is what Fedora is currently shipping
>>> on stable branches:
>>>
>>> http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/?h=f25
>>
>> Is this the complete current patchset relative to jasper-1.900.1, you
>> want me to apply ?
>
> No, the details are in the .spec file.  In short, you want 1.900.13 plus
> the jasper-1.900.1-CVE-2008-3520.patch and
> jasper-1.900.13-CVE-2016-9583.patch patches.

There are now additionally jasper-1.900.13-CVE-2016-9262.patch and 
jasper-1.900.13-CVE-2016-8654.patch.

> Once that's uploaded, then let's proceed with an upgrade to 2.0.10,
> which already has all the fixes along with the ABI version change.

That's 2.0.12 now.

-- 
Yaakov

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library
  2017-03-24 19:02       ` Yaakov Selkowitz
@ 2017-05-05 20:37         ` Yaakov Selkowitz
  2017-05-07  8:42           ` Marco Atzeri
  0 siblings, 1 reply; 6+ messages in thread
From: Yaakov Selkowitz @ 2017-05-05 20:37 UTC (permalink / raw)
  To: cygwin-apps

On 2017-03-24 14:02, Yaakov Selkowitz wrote:
> On 2017-02-22 13:53, Yaakov Selkowitz wrote:
>> No, the details are in the .spec file.  In short, you want 1.900.13 plus
>> the jasper-1.900.1-CVE-2008-3520.patch and
>> jasper-1.900.13-CVE-2016-9583.patch patches.
>
> There are now additionally jasper-1.900.13-CVE-2016-9262.patch and
> jasper-1.900.13-CVE-2016-8654.patch.
>
>> Once that's uploaded, then let's proceed with an upgrade to 2.0.10,
>> which already has all the fixes along with the ABI version change.
>
> That's 2.0.12 now.

Unfortunately, some of my packages ended up being built against the 
later libjasper1, so it's too late to revert this cleanly.  Therefore, I 
have left it alone, uploaded 2.0.12, and rebuilt all my dependent packages.

Marco, that leaves your gdal and GraphicsMagick as the only packages 
still using libjasper1.

-- 
Yaakov

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library
  2017-05-05 20:37         ` Yaakov Selkowitz
@ 2017-05-07  8:42           ` Marco Atzeri
  0 siblings, 0 replies; 6+ messages in thread
From: Marco Atzeri @ 2017-05-07  8:42 UTC (permalink / raw)
  To: cygwin-apps

On 05/05/2017 22:37, Yaakov Selkowitz wrote:
> On 2017-03-24 14:02, Yaakov Selkowitz wrote:
>> On 2017-02-22 13:53, Yaakov Selkowitz wrote:
>>> No, the details are in the .spec file.  In short, you want 1.900.13 plus
>>> the jasper-1.900.1-CVE-2008-3520.patch and
>>> jasper-1.900.13-CVE-2016-9583.patch patches.
>>
>> There are now additionally jasper-1.900.13-CVE-2016-9262.patch and
>> jasper-1.900.13-CVE-2016-8654.patch.
>>
>>> Once that's uploaded, then let's proceed with an upgrade to 2.0.10,
>>> which already has all the fixes along with the ABI version change.
>>
>> That's 2.0.12 now.
>
> Unfortunately, some of my packages ended up being built against the
> later libjasper1, so it's too late to revert this cleanly.  Therefore, I
> have left it alone, uploaded 2.0.12, and rebuilt all my dependent packages.
>
> Marco, that leaves your gdal and GraphicsMagick as the only packages
> still using libjasper1.


rebuilding GraphicsMagick.
Gdal should have a new release in short.

Regards
Marco

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2017-05-07  8:42 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <announce.vriv4m1gi57u.fsf@volkerzell.de>
2017-01-12 20:26 ` Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library Yaakov Selkowitz
2017-01-18 12:12   ` Dr. Volker Zell
2017-02-22 19:53     ` Yaakov Selkowitz
2017-03-24 19:02       ` Yaakov Selkowitz
2017-05-05 20:37         ` Yaakov Selkowitz
2017-05-07  8:42           ` Marco Atzeri

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).