GNU bug report logs - #30801
[PATCH 0/1] Add opencv

Previous Next

Package: guix-patches;

Reported by: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>

Date: Tue, 13 Mar 2018 16:59:01 UTC

Severity: normal

Tags: patch

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

Message #31 received at 30801-done <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
Cc: 30801-done <at> debbugs.gnu.org
Subject: Re: [bug#30801]  Add opencv
Date: Fri, 11 May 2018 14:00:05 +0200

Hello!

Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de> skribis:

> On Thu, 10 May 2018 00:01:13 +0200
> ludo <at> gnu.org (Ludovic Courtès) wrote:

[...]

>> ‘guix lint’ reports this:
>> 
>>   gnu/packages/image-processing.scm:201:2: opencv <at> 3.4.1: probably
>> vulnerable to CVE-2018-7712, CVE-2018-7713, CVE-2018-7714
>> 
>> Could you take a look?  It could be that 3.4.2 is around the corner
>> and we’ll just update at that point; if not, we may have to apply
>> upstream patches for these issues.
>
> While finally linting, I noticed these too. OpenCV claims this is not
> an issue:
>
> https://github.com/opencv/opencv/issues/10998
>
> Should we mention it somewhere in the code? Is there a formal process
> to hide or comment specific CVEs?

The developer’s reasoning makes sense to me (IOW, the CVEs should be
against the applications that don’t handle exceptions properly rather
than against OpenCV itself.)

You can use the ‘lint-hidden-cve’ property to explicitly hide them.
Please add a comment with the URL above as well.

Thanks,
Ludo’.
This bug report was last modified 7 years and 13 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.