https://bugzilla.redhat.com/show_bug.cgi?id=1049546 František Dvořák <valtri@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |valtri@xxxxxxxxxx --- Comment #2 from František Dvořák <valtri@xxxxxxxxxx> --- Quick peek at libtiff package uncovers following CVEs: CVE-2012-4447 CVE-2012-4564 CVE-2013-1960 CVE-2013-1961 CVE-2013-4231 CVE-2013-4232 CVE-2013-4244 and anothers are upcoming. Even with exception from FPC, it would be quite hard to maintain this... But, in the original patch of native freeimage, bundling of libjpeg and libtiff is solved (or rather worked around): JPEG transformation functions are simply disabled, libtiff needs some patch and disabling G3 (fax). I've looked at your patch and combined it with the current freeimage patch and updated, and here are the results: http://scientific.zcu.cz/git/?p=FreeImage.git;a=summary Or one tarball with the patches: http://scientific.zcu.cz/fedora/freeimage-3.5.14/patches.tar.gz - it looks like libmng dependency is not needed anymore - convert newlines before patching is very good idea :-) - separated patches could be good for future maintenance, but that's up to packagers and co-maintainers of course - main problem now is testing (it could help to push the patches to native freeimage package...) Frantisek -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review