This is the mail archive of the cygwin-apps mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library

On 2017-02-22 13:53, Yaakov Selkowitz wrote:
On 2017-01-18 06:11, Dr. Volker Zell wrote:
On 12.01.2017 21:26, Yaakov Selkowitz wrote:
On 2017-01-03 08:32, Dr. Volker Zell wrote:
New versions of 'jasper/libjasper1/libjasper-devel' have been uploaded
to a server near you.

 o Build for cygwin 2.6.1 with gcc-5.4.0
 o Update to latest version before ABI bump

Not really; the fix therein for CVE-2015-5203 broke ABI on 64-bit
systems by changing the size of an existing member of a public struct
(int to size_t), just that they neglected to bump the ABI version until

For compatibility with packages currently linked with libjasper1, this
needs to be reverted in part.  Here is what Fedora is currently shipping
on stable branches:

Is this the complete current patchset relative to jasper-1.900.1, you
want me to apply ?

No, the details are in the .spec file.  In short, you want 1.900.13 plus
the jasper-1.900.1-CVE-2008-3520.patch and
jasper-1.900.13-CVE-2016-9583.patch patches.

There are now additionally jasper-1.900.13-CVE-2016-9262.patch and jasper-1.900.13-CVE-2016-8654.patch.

Once that's uploaded, then let's proceed with an upgrade to 2.0.10,
which already has all the fixes along with the ABI version change.

That's 2.0.12 now.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]