[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: configure.in is missing but...

2017-11-25 2:13 GMT-02:00 Paul Wise <pabs@debian.org>:
> On Fri, Nov 24, 2017 at 9:33 PM, Ian Jackson wrote:
>
>> Can't you find a copy of the configure.ac somewhere ?  If not, you may
>> be able to reconstruct one.  Skimreading the configure script suggests
>> that wouldn't be too hard.


Thanks Ian,

At first glance, creating a new configure.ac seems a bit hard. I
already made some configure.ac for some projects. However, I am not
the upstream and it is a complicating factor. I will try make
something.


> It looks like the jpeg-6b-steg is a modified embedded code copy of
> libjpeg6b. outguess upstream really should send their patches in
> jpeg-6b-steg.diff to libjpeg upstream and remove the copy. I expect
> that outguess is probably vulnerable to the various libjpeg CVEs that
> have been released over the years.
>
> Looking at the unmodified source code, libjpeg upstream didn't release
> their configure.ac file until libjpeg7:
>
> http://ijg.org/files/jpegsrc.v6b.tar.gz
> http://ijg.org/files/jpegsrc.v7.tar.gz


Thanks a lot Paul. It is a good catch.


> So I think what needs to happen here is that outguess needs a proper
> upstream project to exist and be active, remove the embedded code copy
> and port the diff to a newer libjpeg and upstream that and then get
> that uploaded to Debian.


I agree.

Cheers,

Eriberto
Reply to: