bug#27621: [PATCH] gnu: inkscape: Use ungrafted poppler input.

bug#27621: [PATCH] gnu: inkscape: Use ungrafted poppler input.

[Ben Woodcroft]

Currently Inkscape fails to start as the poppler shared library changes from
libpoppler.so.66 to libpoppler.so.67 upon grafting. Is this the correct way
to fix this issue?

I'm not quite sure why poppler is grafted in the first place, given there are
so few dependencies (26)? Should it simply be updated?

Thanks, ben

bug#27621: [PATCH] gnu: inkscape: Use ungrafted poppler input.

[Ben Woodcroft]

Previously, inkscape failed to start, attempting to load an incorrect
poppler shared library version.

* gnu/packages/inkscape.scm (inkscape)[inputs]: Replace poppler with
poppler-0.56.0.
* gnu/packages/pdf.scm (poppler-0.56.0): Export it.
---
 gnu/packages/inkscape.scm | 3 ++-
 gnu/packages/pdf.scm      | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/inkscape.scm b/gnu/packages/inkscape.scm
index 0f28e640a..b52c2e1a2 100644
--- a/gnu/packages/inkscape.scm
+++ b/gnu/packages/inkscape.scm
@@ -59,7 +59,8 @@
        ("gtkmm" ,gtkmm-2)
        ("gtk" ,gtk+-2)
        ("gsl" ,gsl)
-       ("poppler" ,poppler)
+       ("poppler" ,poppler-0.56.0) ; Use an ungrafted poppler so the correct
+                                   ; library is loaded.
        ("libpng" ,libpng)
        ("libxml2" ,libxml2)
        ("libxslt" ,libxslt)
diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
index dce02a7b5..574b223ee 100644
--- a/gnu/packages/pdf.scm
+++ b/gnu/packages/pdf.scm
@@ -130,7 +130,7 @@
    (license license:gpl2+)
    (home-page "https://poppler.freedesktop.org/")))
 
-(define poppler-0.56.0
+(define-public poppler-0.56.0
   (package (inherit poppler)
   (version "0.56.0")
   (source
-- 
2.13.2

bug#27621: Poppler's replacement is ABI-incompatible with the original

[Mark H Weaver]

retitle 27621 Poppler's replacement is ABI-incompatible with the original
severity 27621 important
thanks

Ben Woodcroft <donttrustben@gmail.com> writes:

> Currently Inkscape fails to start as the poppler shared library changes from
> libpoppler.so.66 to libpoppler.so.67 upon grafting. Is this the correct way
> to fix this issue?

The problem is that poppler's replacement is not ABI compatible with the
original.  This will likely break any program linked with libpoppler.
This needs to be fixed in poppler.  We should not work around this by
changing our inkscape package.

> I'm not quite sure why poppler is grafted in the first place, given there are
> so few dependencies (26)? Should it simply be updated?

How did you count 26?  According to "guix refresh -l poppler", poppler
has 1643 dependent packages per platform.  That's too many.

The problem originated with the following security update:

leo@famulari.name (Leo Famulari) writes:
> lfam pushed a commit to branch master
> in repository guix.
>
> commit 95bbaa02aa63bc5eae36f686f1ed9915663aa4cf
> Author: Leo Famulari <leo@famulari.name>
> Date:   Thu Jun 29 03:10:30 2017 -0400
>
>     gnu: poppler: Fix CVE-2017-{9775,9776}.
>     
>     * gnu/packages/pdf.scm (poppler)[replacement]: New field.
>     (poppler-0.56.0): New variable.
>     (poppler-qt4, poppler-qt5): Use 'package/inherit'.
> ---
>  gnu/packages/pdf.scm | 17 +++++++++++++++--
>  1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm
> index 5ccaa38..dce02a7 100644
> --- a/gnu/packages/pdf.scm
> +++ b/gnu/packages/pdf.scm
> @@ -76,6 +76,7 @@
>  (define-public poppler
>    (package
>     (name "poppler")
> +   (replacement poppler-0.56.0)
>     (version "0.52.0")
>     (source (origin
>              (method url-fetch)

Unfortunately, we cannot use poppler-0.56.0 to replace 0.52.0 via
grafting.  The shared library major version number bump indicates an ABI
incompatibility.

Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
need to find backported fixes for poppler-0.52.0 (or possibly some newer
version that has the same ABI as 0.52.0), and apply those as patches in
the replacement.

      Mark

bug#27621: Poppler's replacement is ABI-incompatible with the original

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1443 bytes --]

On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote:
> Ben Woodcroft <donttrustben@gmail.com> writes:
> 
> > Currently Inkscape fails to start as the poppler shared library changes from
> > libpoppler.so.66 to libpoppler.so.67 upon grafting. Is this the correct way
> > to fix this issue?

> The problem originated with the following security update:
> 
> leo@famulari.name (Leo Famulari) writes:
> > lfam pushed a commit to branch master
> > in repository guix.
> >
> > commit 95bbaa02aa63bc5eae36f686f1ed9915663aa4cf
> > Author: Leo Famulari <leo@famulari.name>
> > Date:   Thu Jun 29 03:10:30 2017 -0400
> >
> >     gnu: poppler: Fix CVE-2017-{9775,9776}.
> >     
> >     * gnu/packages/pdf.scm (poppler)[replacement]: New field.
> >     (poppler-0.56.0): New variable.
> >     (poppler-qt4, poppler-qt5): Use 'package/inherit'.

Sorry about this mistake.

> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
> need to find backported fixes for poppler-0.52.0 (or possibly some newer
> version that has the same ABI as 0.52.0), and apply those as patches in
> the replacement.

I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a
patch for CVE-2017-9776 onto the poppler 0.52.0 source code.

We'll need to write and test our own patch for CVE-2017-9775 that will
apply to the source of poppler 0.52.0, or wait for someone else to do
it and copy theirs.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#27621: Poppler's replacement is ABI-incompatible with the original

[Mark H Weaver]

Leo Famulari <leo@famulari.name> writes:

> On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote:
>> Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we
>> need to find backported fixes for poppler-0.52.0 (or possibly some newer
>> version that has the same ABI as 0.52.0), and apply those as patches in
>> the replacement.
>
> I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a
> patch for CVE-2017-9776 onto the poppler 0.52.0 source code.

Thank you! :)

> We'll need to write and test our own patch for CVE-2017-9775 that will
> apply to the source of poppler 0.52.0, or wait for someone else to do
> it and copy theirs.

I looked, but backporting the fix to 0.52.0 seems non-trivial.  Fedora
26 uses poppler-0.52.0, but I see that they have not yet fixed either of
these CVEs.

  http://pkgs.fedoraproject.org/cgit/rpms/poppler.git/log/?h=f26

They did, however, cherry-pick an upstream patch to fix a null pointer
dereference bug in 0.52.0.  I'll look into adding this patch to our
poppler.

FWIW, Fedora considers CVE-2017-9775 to be of low severity:

  https://access.redhat.com/security/cve/cve-2017-9775

Anyway, I'm closing this bug now.  Thanks again for your tireless
efforts to keep us safe, Leo!

      Mark

bug#27621: Poppler's replacement is ABI-incompatible with the original

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 745 bytes --]

On Sun, Jul 09, 2017 at 05:25:07PM -0400, Mark H Weaver wrote:
> They did, however, cherry-pick an upstream patch to fix a null pointer
> dereference bug in 0.52.0.  I'll look into adding this patch to our
> poppler.

Thanks! Let us know how it goes.

> FWIW, Fedora considers CVE-2017-9775 to be of low severity:
> 
>   https://access.redhat.com/security/cve/cve-2017-9775

The disclosure on the freedesktop bug tracker [0] says:

"Due to some restrictions in the lines after the bug, an attacker can't
control the values written in the stack so it unlikely this could lead
to a code execution."

So, not great but, if their estimation is right, not that bad either.

[0] https://bugs.freedesktop.org/show_bug.cgi?id=101540

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#27621: Poppler's replacement is ABI-incompatible with the original

[Mark H Weaver]

Leo Famulari <leo@famulari.name> writes:

> On Sun, Jul 09, 2017 at 05:25:07PM -0400, Mark H Weaver wrote:
>> They did, however, cherry-pick an upstream patch to fix a null pointer
>> dereference bug in 0.52.0.  I'll look into adding this patch to our
>> poppler.
>
> Thanks! Let us know how it goes.

Pushed to master as commit ef019092b98e1337acac51525e8e4e092267f69c.

      Mark