[Pkg-phototools-devel] Bug#876535: openjpeg2: Incoorporate lost changelogs (and possibly changes) for NMUs 2.1.2-1.1, 2.1.2-1.2 and 2.1.2-1.3

Salvatore Bonaccorso carnil at debian.org
Mon Sep 25 19:05:09 UTC 2017 

Hi Mathieu,

On Mon, Sep 25, 2017 at 10:12:31AM +0200, Mathieu Malaterre wrote:
> Control: tags -1 pending
> 
> Hi Salvatore,
> 
> On Sat, Sep 23, 2017 at 1:59 PM, Salvatore Bonaccorso <carnil at debian.org> wrote:
> > Source: openjpeg2
> > Version: 2.2.0-1
> > Severity: normal
> >
> > Hi Mathieu,
> >
> > There was an update for openjpeg2 not incoorporating the NMU changelog
> > for 2.1.2-1.1, 2.1.2-1.2 and 2.1.2-1.3. Please consider incorporating
> > those again (and double check no change was lost, I guess not that all
> > should in meanwhile be included in 2.2.0, but for #851422 I'm unsure
> > if it was fully covered, see the respective upstream issues which only
> > partially landed in 2.2.0).
> >
> > Specifically there were some CVEs addressed, which are hopefully still
> > be fixed in 2.2.0-1, the FTBFS defintively seems so.
> >
> > ----cut---------cut---------cut---------cut---------cut---------cut-----
> > diff -Nru openjpeg2-2.1.2/debian/changelog openjpeg2-2.2.0/debian/changelog
> > --- openjpeg2-2.1.2/debian/changelog    2017-08-12 15:54:38.000000000 +0200
> > +++ openjpeg2-2.2.0/debian/changelog    2017-09-22 21:51:36.000000000 +0200
> > @@ -1,26 +1,13 @@
> > -openjpeg2 (2.1.2-1.3) unstable; urgency=medium
> > +openjpeg2 (2.2.0-1) unstable; urgency=medium
> >
> > -  * Fix FTFBS (Closes: #871905)
> > +  * New upstream release. Closes: #872041
> > +  * Fix CVE-2016-9113. Closes: #844552
> > +  * Fix CVE-2016-9114. Closes: #844553
> > +  * Fix CVE-2016-9115. Closes: #844554
> > +  * Fix CVE-2016-9116. Closes: #844555
> > +  * Fix CVE-2016-9117. Closes: #844556
> >
> > - -- Moritz Muehlenhoff <jmm at debian.org>  Sat, 12 Aug 2017 15:54:38 +0200
> > -
> > -openjpeg2 (2.1.2-1.2) unstable; urgency=medium
> > -
> > -  * Non-maintainer upload
> > -  * Fix CVE-2016-1626, CVE-2016-1628, CVE-2016-5152, CVE-2016-9112 and
> > -    CVE-2016-9118.patch
> > -
> > - -- Moritz Muehlenhoff <jmm at debian.org>  Fri, 11 Aug 2017 22:17:07 +0200
> > -
> > -openjpeg2 (2.1.2-1.1) unstable; urgency=medium
> > -
> > -  * Non-maintainer upload.
> > -  * Add CVE-2016-9572_CVE-2016-9573.patch patch.
> > -    CVE-2016-9572: NULL pointer dereference in input decoding
> > -    CVE-2016-9573: Heap out-of-bounds read due to insufficient check in
> > -    imagetopnm(). (Closes: #851422)
> > -
> > - -- Salvatore Bonaccorso <carnil at debian.org>  Sun, 22 Jan 2017 14:18:13 +0100
> > + -- Mathieu Malaterre <malat at debian.org>  Fri, 22 Sep 2017 21:51:36 +0200
> >
> >  openjpeg2 (2.1.2-1) unstable; urgency=medium
> > ----cut---------cut---------cut---------cut---------cut---------cut-----
> >
> > Thanks for your time, double-checking and working on openjpeg2!
> 
> Wow ! That was bad :( Thanks for catching my mistake.

Thanks a lot for looking that quickly into this!

And thanks for reopening the bugs regarding the 2.2.0-1 stanza, which
are still under investigation/not yet fixed.

Regards,
Salvatore

More information about the Pkg-phototools-devel mailing list