From c20903ac3de35aabed9b28ca4b51fdcc333580fa Mon Sep 17 00:00:00 2001
From: Benjamin A. Beasley <code@musicinmybrain.net>
Date: Oct 22 2021 23:46:27 +0000
Subject: Fix CVE-2021-42715 and CVE-2021-42716 in stb_image


Require stb_image >= 2.27-0.7 at build time and runtime to ensure fixes
for all of CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716 are
present.

---

diff --git a/mlpack.spec b/mlpack.spec
index 41badd0..f2e27eb 100644
--- a/mlpack.spec
+++ b/mlpack.spec
@@ -1,6 +1,6 @@
 Name:           mlpack
 Version:        3.4.2
-Release:        11%{?dist}
+Release:        12%{?dist}
 Summary:        Scalable, fast C++ machine learning library
 
 License:        BSD
@@ -33,7 +33,9 @@ BuildRequires:  boost-devel, cli11-devel, boost-math, boost-serialization >= 1.4
 BuildRequires:  pkg-config
 
 # Header-only librarires (-static is for tracking per guidelines)
-BuildRequires:  stb_image-devel
+# stb_image 2.27-0.7 is the minimum EVR to contain fixes for all of
+# CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716.
+BuildRequires:  stb_image-devel >= 2.27-0.7
 BuildRequires:  stb_image-static
 BuildRequires:  stb_image_write-devel
 BuildRequires:  stb_image_write-static
@@ -90,7 +92,9 @@ Requires:       boost-devel, boost-program-options, boost-math
 Requires:       libxml2-devel
 Requires:       lapack-devel
 Requires:	pkg-config
-Requires:       stb_image-devel%{?_isa}
+# stb_image 2.27-0.7 is the minimum EVR to contain fixes for all of
+# CVE-2021-28021, CVE-2021-42715, and CVE-2021-42716.
+Requires:       stb_image-devel%{?_isa} >= 2.27-0.7
 Requires:       stb_image_write-devel%{?_isa}
 
 %description devel
@@ -309,6 +313,9 @@ cp LICENSE.txt $RPM_BUILD_ROOT/%{our_docdir}
 %{python3_sitearch}/mlpack-*.egg-info
 
 %changelog
+* Fri Oct 22 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 3.4.2-12
+- Fix CVE-2021-42715 and CVE-2021-42716 in stb_image
+
 * Mon Aug 23 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 3.4.2-11
 - Simplify stb unbundling