GNU bug report logs -
#26009
libpng-apng
Previous Next
Reported by: ng0 <contact.ng0 <at> cryptolab.net>
Date: Tue, 7 Mar 2017 11:12:01 UTC
Severity: normal
Done: ng0 <contact.ng0 <at> cryptolab.net>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
ludo <at> gnu.org (Ludovic Courtès) writes:
> ng0 <contact.ng0 <at> cryptolab.net> skribis:
>
>>> That said, please make sure the security issues fixed in ‘libpng/fixed’
>>> are also fixed in libpng-apng!
>
> [...]
>
>> Do you have any advice how this could be achieved?
>
> I’d check whether libpng-CVE-2016-10087.patch applies to libpng-apng
> (it’s the patch that ‘libpng/fixed’ applies.)
>
> Going forward, if the code bases are similar enough, we may have to add
> a (cpe-name . "libpng") property to libpng-apng so that ‘guix lint -c
> cve’ would report libpng’s vulnerabilities.
>
> HTH!
>
> Ludo’.
Those tips helped quite a bit! Libpng-apng now builds reproducibly. Now
the only issues are the CVE patch name not beginning with "libpng-apng"
and the sourceforge URL using "*.sourceforge.net/project" instead of
"*.sourceforge.net/projects" (this detail leads to a 404 Error while linting).
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 8 years and 153 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.