From f79a576e776eb299af52d60cdd51f4a4f79beee3 Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Sat, 28 Nov 2015 16:29:11 +0100 Subject: gnu: jasper: Patch CVE-2008-3522. * gnu/packages/patches/jasper-CVE-2008-3522.patch: New file. * gnu/packages/image.scm (jasper)[source]: Use it. * gnu-system.am (dist_patch_DATA): Add it. --- gnu/packages/image.scm | 3 ++- gnu/packages/patches/jasper-CVE-2008-3522.patch | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/jasper-CVE-2008-3522.patch (limited to 'gnu/packages') diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index 8a4a42a295..f3f89f6be6 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -714,7 +714,8 @@ (define-public jasper "/software/jasper-" version ".zip")) (sha256 (base32 - "154l7zk7yh3v8l2l6zm5s2alvd2fzkp6c9i18iajfbna5af5m43b")))) + "154l7zk7yh3v8l2l6zm5s2alvd2fzkp6c9i18iajfbna5af5m43b")) + (patches (list (search-patch "jasper-CVE-2008-3522.patch"))))) (build-system gnu-build-system) (native-inputs `(("unzip" ,unzip))) diff --git a/gnu/packages/patches/jasper-CVE-2008-3522.patch b/gnu/packages/patches/jasper-CVE-2008-3522.patch new file mode 100644 index 0000000000..10cfec99a5 --- /dev/null +++ b/gnu/packages/patches/jasper-CVE-2008-3522.patch @@ -0,0 +1,14 @@ +Fix CVE-2008-3522 (buffer overflow in 'jas_stream_printf'). +Patch from . + +--- jasper-1.900.1/src/libjasper/base/jas_stream.c 2008-09-08 14:56:01.000000000 +0200 ++++ jasper-1.900.1/src/libjasper/base/jas_stream.c 2008-09-08 14:58:16.000000000 +0200 +@@ -553,7 +553,7 @@ int jas_stream_printf(jas_stream_t *stre + int ret; + + va_start(ap, fmt); +- ret = vsprintf(buf, fmt, ap); ++ ret = vsnprintf(buf, sizeof buf, fmt, ap); + jas_stream_puts(stream, buf); + va_end(ap); + return ret; -- cgit v1.2.3