Re: Updated: {jasper/libjasper1/libjasper-devel}-1.900.22-1: JPEG-2000 codec library

[Yaakov Selkowitz <yselkowitz at cygwin dot com>]

On 2017-01-18 06:11, Dr. Volker Zell wrote:
> On 12.01.2017 21:26, Yaakov Selkowitz wrote:
> > On 2017-01-03 08:32, Dr. Volker Zell wrote:
> > > New versions of 'jasper/libjasper1/libjasper-devel' have been uploaded
> > > to a server near you.
> > >
> > >  o Build for cygwin 2.6.1 with gcc-5.4.0
> > >  o Update to latest version before ABI bump
> >
> > Not really; the fix therein for CVE-2015-5203 broke ABI on 64-bit
> > systems by changing the size of an existing member of a public struct
> > (int to size_t), just that they neglected to bump the ABI version until
> > afterwards:
> >
> > https://github.com/mdadams/jasper/issues/84
> >
> > For compatibility with packages currently linked with libjasper1, this
> > needs to be reverted in part.  Here is what Fedora is currently shipping
> > on stable branches:
> >
> > http://pkgs.fedoraproject.org/cgit/rpms/jasper.git/tree/?h=f25
>
> Is this the complete current patchset relative to jasper-1.900.1, you
> want me to apply ?

No, the details are in the .spec file.  In short, you want 1.900.13 plus 
the jasper-1.900.1-CVE-2008-3520.patch and 
jasper-1.900.13-CVE-2016-9583.patch patches.

Once that's uploaded, then let's proceed with an upgrade to 2.0.10, 
which already has all the fixes along with the ABI version change.

> How to proceed with the current buggy package. Could
> you just remove it ?

Yes, I can do that.

--
Yaakov