Re: configure.in is missing but...

To: eriberto@debian.org
Cc: debian-legal@lists.debian.org
Subject: Re: configure.in is missing but...
From: Paul Wise <pabs@debian.org>
Date: Sat, 25 Nov 2017 12:13:13 +0800
Message-id: <[🔎] CAKTje6F-BQNEDm8oQrza9XtTx_64JH-JiOjyah1HUfL2Ui7c8Q@mail.gmail.com>
In-reply-to: <[🔎] 23064.8124.905357.138379@chiark.greenend.org.uk>
References: <[🔎] CAP+dXJcDjO4OxJojgmjDLGYA16WMZjq_b3yEbGMeZ1m2wZ=WOA@mail.gmail.com> <[🔎] 23064.8124.905357.138379@chiark.greenend.org.uk>

On Fri, Nov 24, 2017 at 9:33 PM, Ian Jackson wrote:

> Can't you find a copy of the configure.ac somewhere ?  If not, you may
> be able to reconstruct one.  Skimreading the configure script suggests
> that wouldn't be too hard.

It looks like the jpeg-6b-steg is a modified embedded code copy of
libjpeg6b. outguess upstream really should send their patches in
jpeg-6b-steg.diff to libjpeg upstream and remove the copy. I expect
that outguess is probably vulnerable to the various libjpeg CVEs that
have been released over the years.

Looking at the unmodified source code, libjpeg upstream didn't release
their configure.ac file until libjpeg7:

http://ijg.org/files/jpegsrc.v6b.tar.gz
http://ijg.org/files/jpegsrc.v7.tar.gz

So I think what needs to happen here is that outguess needs a proper
upstream project to exist and be active, remove the embedded code copy
and port the diff to a newer libjpeg and upstream that and then get
that uploaded to Debian.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: configure.in is missing but...
  - From: Eriberto Mota <eriberto@debian.org>

References:
- configure.in is missing but...
  - From: Eriberto Mota <eriberto@debian.org>
- Re: configure.in is missing but...
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Re: French gov open license
Next by Date: Re: French gov open license
Previous by thread: Re: configure.in is missing but...
Next by thread: Re: configure.in is missing but...
Index(es):
- Date
- Thread