GNU bug report logs - #30801
[PATCH 0/1] Add opencv

Previous Next

Package: guix-patches;

Reported by: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>

Date: Tue, 13 Mar 2018 16:59:01 UTC

Severity: normal

Tags: patch

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

Message #34 received at 30801-done <at> debbugs.gnu.org (full text, mbox):

From: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: 30801-done <at> debbugs.gnu.org
Subject: Re: [bug#30801]  Add opencv
Date: Sun, 13 May 2018 01:42:38 +0200

[Message part 1 (text/plain, inline)]
On Fri, 11 May 2018 14:00:05 +0200
ludo <at> gnu.org (Ludovic Courtès) wrote:

> >> ‘guix lint’ reports this:
> >> 
> >>   gnu/packages/image-processing.scm:201:2: opencv <at> 3.4.1: probably
> >> vulnerable to CVE-2018-7712, CVE-2018-7713, CVE-2018-7714
> >> 
> >> Could you take a look?  It could be that 3.4.2 is around the corner
> >> and we’ll just update at that point; if not, we may have to apply
> >> upstream patches for these issues.  
> >
> > While finally linting, I noticed these too. OpenCV claims this is
> > not an issue:
> >
> > https://github.com/opencv/opencv/issues/10998
> >
> > Should we mention it somewhere in the code? Is there a formal
> > process to hide or comment specific CVEs?  
> 
> The developer’s reasoning makes sense to me (IOW, the CVEs should be
> against the applications that don’t handle exceptions properly rather
> than against OpenCV itself.)
> 
> You can use the ‘lint-hidden-cve’ property to explicitly hide them.
> Please add a comment with the URL above as well.

I added a new patch including documentation about lint-hidden-cve:

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31437

Björn

[Message part 2 (application/pgp-signature, inline)]
This bug report was last modified 7 years and 13 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.