GNU bug report logs - #26109
[PATCH 3/7] gnu: Add dcmtk.

Previous Next

Package: guix-patches;

Reported by: John Darrington <jmd <at> gnu.org>

Date: Wed, 15 Mar 2017 20:07:01 UTC

Severity: normal

Tags: patch

Done: Ricardo Wurmus <rekado <at> elephly.net>

Bug is archived. No further changes may be made.

Full log

Message #29 received at 26109 <at> debbugs.gnu.org (full text, mbox):

From: John Darrington <john <at> darrington.wattle.id.au>
To: Leo Famulari <leo <at> famulari.name>
Cc: 26109 <at> debbugs.gnu.org
Subject: Re: bug#26109: [PATCH 3/7] gnu: Add dcmtk.
Date: Tue, 21 Mar 2017 03:30:43 +0100

[Message part 1 (text/plain, inline)]
On Mon, Mar 20, 2017 at 10:12:40PM -0400, Leo Famulari wrote:
     On Sat, Mar 18, 2017 at 08:23:35AM +0100, John Darrington wrote:
     > On Fri, Mar 17, 2017 at 04:42:59PM -0400, Kei Kebreau wrote:
     >      
     >      Judging from the description of the software, it seems like this could
     >      fit in gnu/packages/image.scm.
     >      Also, the linter says that this package vulnerable to
     >      CVE-2015-8979. Supposedly this* upstream patch fixes it. Could you see
     >      if that fix works for this package?
     >      
     >      * https://github.com/commontk/DCMTK/commit/1b6bb76
     >      
     > 
     > Unfortunately this patch doesn't go in.  It seems that as well as fixing this
     > vulnerability it also makes some unrelated changes.  Furthermore, it depends
     > on a whole lot of other patches which are not in this release.
     > 
     > Do we have a procedure on what to do in cases like this?
     
     We could see what other distros have done. Maybe they have a simpler
     patch we could copy. 

I did try that too.  Unfortunately the Debian patch seems to have combined some non-CVE
fixes into the same patch AND that patch is dependendent upon some other unrelated patches.

I probably could with a lot of trial and error make a patch which works, but IMO that
defeats the purpose.  I security patch should be A) as simple as possible; B) not 
contain any unrelated fixes; and C) prepared by someone who knows what she is doing.

     Or, we could try building from an arbitrary Git commit.

Yes. That is the other option -  I think it might be a what we'll have to do.

J'



-- 
Avoid eavesdropping.  Send strong encrypted email.
PGP Public key ID: 1024D/2DE827B3 
fingerprint = 8797 A26D 0854 2EAB 0285  A290 8A67 719C 2DE8 27B3
See http://sks-keyservers.net or any PGP keyserver for public key.


[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 8 years and 12 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.