* Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library [not found] <announce.vriv4m1gi57u.fsf@volkerzell.de> @ 2017-01-12 20:26 ` Yaakov Selkowitz 2017-01-18 12:12 ` Dr. Volker Zell 0 siblings, 1 reply; 6+ messages in thread From: Yaakov Selkowitz @ 2017-01-12 20:26 UTC (permalink / raw) To: cygwin-apps On 2017-01-03 08:32, Dr. Volker Zell wrote: > New versions of 'jasper/libjasper1/libjasper-devel' have been uploaded to a server near you. > > o Build for cygwin 2.6.1 with gcc-5.4.0 > o Update to latest version before ABI bump Not really; the fix therein for CVE-2015-5203 broke ABI on 64-bit systems by changing the size of an existing member of a public struct (int to size_t), just that they neglected to bump the ABI version until afterwards: https://github.com/mdadams/jasper/issues/84 For compatibility with packages currently linked with libjasper1, this needs to be reverted in part. Here is what Fedora is currently shipping on stable branches: http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/?h=f25 Then, we could update to 1.900.29, or even 2.0.10 -- which should provide libjasper4 -- against which all jasper-dependent packages would then have to be rebuilt. -- Yaakov ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library 2017-01-12 20:26 ` Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library Yaakov Selkowitz @ 2017-01-18 12:12 ` Dr. Volker Zell 2017-02-22 19:53 ` Yaakov Selkowitz 0 siblings, 1 reply; 6+ messages in thread From: Dr. Volker Zell @ 2017-01-18 12:12 UTC (permalink / raw) To: cygwin-apps On 12.01.2017 21:26, Yaakov Selkowitz wrote: > On 2017-01-03 08:32, Dr. Volker Zell wrote: >> New versions of 'jasper/libjasper1/libjasper-devel' have been uploaded >> to a server near you. >> >> o Build for cygwin 2.6.1 with gcc-5.4.0 >> o Update to latest version before ABI bump > > Not really; the fix therein for CVE-2015-5203 broke ABI on 64-bit > systems by changing the size of an existing member of a public struct > (int to size_t), just that they neglected to bump the ABI version until > afterwards: > > https://github.com/mdadams/jasper/issues/84 > > For compatibility with packages currently linked with libjasper1, this > needs to be reverted in part. Here is what Fedora is currently shipping > on stable branches: > > http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/?h=f25 Is this the complete current patchset relative to jasper-1.900.1, you want me to apply ? How to proceed with the current buggy package. Could you just remove it ? Thanks Volker ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library 2017-01-18 12:12 ` Dr. Volker Zell @ 2017-02-22 19:53 ` Yaakov Selkowitz 2017-03-24 19:02 ` Yaakov Selkowitz 0 siblings, 1 reply; 6+ messages in thread From: Yaakov Selkowitz @ 2017-02-22 19:53 UTC (permalink / raw) To: cygwin-apps On 2017-01-18 06:11, Dr. Volker Zell wrote: > On 12.01.2017 21:26, Yaakov Selkowitz wrote: >> On 2017-01-03 08:32, Dr. Volker Zell wrote: >>> New versions of 'jasper/libjasper1/libjasper-devel' have been uploaded >>> to a server near you. >>> >>> o Build for cygwin 2.6.1 with gcc-5.4.0 >>> o Update to latest version before ABI bump >> >> Not really; the fix therein for CVE-2015-5203 broke ABI on 64-bit >> systems by changing the size of an existing member of a public struct >> (int to size_t), just that they neglected to bump the ABI version until >> afterwards: >> >> https://github.com/mdadams/jasper/issues/84 >> >> For compatibility with packages currently linked with libjasper1, this >> needs to be reverted in part. Here is what Fedora is currently shipping >> on stable branches: >> >> http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/?h=f25 > > Is this the complete current patchset relative to jasper-1.900.1, you > want me to apply ? No, the details are in the .spec file. In short, you want 1.900.13 plus the jasper-1.900.1-CVE-2008-3520.patch and jasper-1.900.13-CVE-2016-9583.patch patches. Once that's uploaded, then let's proceed with an upgrade to 2.0.10, which already has all the fixes along with the ABI version change. > How to proceed with the current buggy package. Could > you just remove it ? Yes, I can do that. -- Yaakov ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library 2017-02-22 19:53 ` Yaakov Selkowitz @ 2017-03-24 19:02 ` Yaakov Selkowitz 2017-05-05 20:37 ` Yaakov Selkowitz 0 siblings, 1 reply; 6+ messages in thread From: Yaakov Selkowitz @ 2017-03-24 19:02 UTC (permalink / raw) To: cygwin-apps On 2017-02-22 13:53, Yaakov Selkowitz wrote: > On 2017-01-18 06:11, Dr. Volker Zell wrote: >> On 12.01.2017 21:26, Yaakov Selkowitz wrote: >>> On 2017-01-03 08:32, Dr. Volker Zell wrote: >>>> New versions of 'jasper/libjasper1/libjasper-devel' have been uploaded >>>> to a server near you. >>>> >>>> o Build for cygwin 2.6.1 with gcc-5.4.0 >>>> o Update to latest version before ABI bump >>> >>> Not really; the fix therein for CVE-2015-5203 broke ABI on 64-bit >>> systems by changing the size of an existing member of a public struct >>> (int to size_t), just that they neglected to bump the ABI version until >>> afterwards: >>> >>> https://github.com/mdadams/jasper/issues/84 >>> >>> For compatibility with packages currently linked with libjasper1, this >>> needs to be reverted in part. Here is what Fedora is currently shipping >>> on stable branches: >>> >>> http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/?h=f25 >> >> Is this the complete current patchset relative to jasper-1.900.1, you >> want me to apply ? > > No, the details are in the .spec file. In short, you want 1.900.13 plus > the jasper-1.900.1-CVE-2008-3520.patch and > jasper-1.900.13-CVE-2016-9583.patch patches. There are now additionally jasper-1.900.13-CVE-2016-9262.patch and jasper-1.900.13-CVE-2016-8654.patch. > Once that's uploaded, then let's proceed with an upgrade to 2.0.10, > which already has all the fixes along with the ABI version change. That's 2.0.12 now. -- Yaakov ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library 2017-03-24 19:02 ` Yaakov Selkowitz @ 2017-05-05 20:37 ` Yaakov Selkowitz 2017-05-07 8:42 ` Marco Atzeri 0 siblings, 1 reply; 6+ messages in thread From: Yaakov Selkowitz @ 2017-05-05 20:37 UTC (permalink / raw) To: cygwin-apps On 2017-03-24 14:02, Yaakov Selkowitz wrote: > On 2017-02-22 13:53, Yaakov Selkowitz wrote: >> No, the details are in the .spec file. In short, you want 1.900.13 plus >> the jasper-1.900.1-CVE-2008-3520.patch and >> jasper-1.900.13-CVE-2016-9583.patch patches. > > There are now additionally jasper-1.900.13-CVE-2016-9262.patch and > jasper-1.900.13-CVE-2016-8654.patch. > >> Once that's uploaded, then let's proceed with an upgrade to 2.0.10, >> which already has all the fixes along with the ABI version change. > > That's 2.0.12 now. Unfortunately, some of my packages ended up being built against the later libjasper1, so it's too late to revert this cleanly. Therefore, I have left it alone, uploaded 2.0.12, and rebuilt all my dependent packages. Marco, that leaves your gdal and GraphicsMagick as the only packages still using libjasper1. -- Yaakov ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library 2017-05-05 20:37 ` Yaakov Selkowitz @ 2017-05-07 8:42 ` Marco Atzeri 0 siblings, 0 replies; 6+ messages in thread From: Marco Atzeri @ 2017-05-07 8:42 UTC (permalink / raw) To: cygwin-apps On 05/05/2017 22:37, Yaakov Selkowitz wrote: > On 2017-03-24 14:02, Yaakov Selkowitz wrote: >> On 2017-02-22 13:53, Yaakov Selkowitz wrote: >>> No, the details are in the .spec file. In short, you want 1.900.13 plus >>> the jasper-1.900.1-CVE-2008-3520.patch and >>> jasper-1.900.13-CVE-2016-9583.patch patches. >> >> There are now additionally jasper-1.900.13-CVE-2016-9262.patch and >> jasper-1.900.13-CVE-2016-8654.patch. >> >>> Once that's uploaded, then let's proceed with an upgrade to 2.0.10, >>> which already has all the fixes along with the ABI version change. >> >> That's 2.0.12 now. > > Unfortunately, some of my packages ended up being built against the > later libjasper1, so it's too late to revert this cleanly. Therefore, I > have left it alone, uploaded 2.0.12, and rebuilt all my dependent packages. > > Marco, that leaves your gdal and GraphicsMagick as the only packages > still using libjasper1. rebuilding GraphicsMagick. Gdal should have a new release in short. Regards Marco ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-05-07 8:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <announce.vriv4m1gi57u.fsf@volkerzell.de>
2017-01-12 20:26 ` Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library Yaakov Selkowitz
2017-01-18 12:12 ` Dr. Volker Zell
2017-02-22 19:53 ` Yaakov Selkowitz
2017-03-24 19:02 ` Yaakov Selkowitz
2017-05-05 20:37 ` Yaakov Selkowitz
2017-05-07 8:42 ` Marco Atzeri
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).