From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#27621: Poppler's replacement is ABI-incompatible with the original Date: Sun, 9 Jul 2017 02:30:49 -0400 Message-ID: <20170709063049.GA31887@jasmine.lan> References: <20170708110834.13972-1-donttrustben@gmail.com> <87a84ea8lm.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48696) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dU5kH-0003sI-Sp for bug-guix@gnu.org; Sun, 09 Jul 2017 02:31:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dU5kE-0007IS-Pe for bug-guix@gnu.org; Sun, 09 Jul 2017 02:31:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:55635) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dU5kE-0007IA-F4 for bug-guix@gnu.org; Sun, 09 Jul 2017 02:31:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dU5kE-0002Gr-3q for bug-guix@gnu.org; Sun, 09 Jul 2017 02:31:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <87a84ea8lm.fsf@netris.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Mark H Weaver Cc: Ben Woodcroft , control@debbugs.gnu.org, 27621@debbugs.gnu.org --FCuugMFkClbJLl1L Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 08, 2017 at 06:04:37PM -0400, Mark H Weaver wrote: > Ben Woodcroft writes: >=20 > > Currently Inkscape fails to start as the poppler shared library changes= from > > libpoppler.so.66 to libpoppler.so.67 upon grafting. Is this the correct= way > > to fix this issue? > The problem originated with the following security update: >=20 > leo@famulari.name (Leo Famulari) writes: > > lfam pushed a commit to branch master > > in repository guix. > > > > commit 95bbaa02aa63bc5eae36f686f1ed9915663aa4cf > > Author: Leo Famulari > > Date: Thu Jun 29 03:10:30 2017 -0400 > > > > gnu: poppler: Fix CVE-2017-{9775,9776}. > > =20 > > * gnu/packages/pdf.scm (poppler)[replacement]: New field. > > (poppler-0.56.0): New variable. > > (poppler-qt4, poppler-qt5): Use 'package/inherit'. Sorry about this mistake. > Here's what we need to do: instead of replacing 0.52.0 with 0.56.0, we > need to find backported fixes for poppler-0.52.0 (or possibly some newer > version that has the same ABI as 0.52.0), and apply those as patches in > the replacement. I just pushed b3cc304b3050e89858c88947fbd7d76c108b5d67 which applies a patch for CVE-2017-9776 onto the poppler 0.52.0 source code. We'll need to write and test our own patch for CVE-2017-9775 that will apply to the source of poppler 0.52.0, or wait for someone else to do it and copy theirs. --FCuugMFkClbJLl1L Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllhzZgACgkQJkb6MLrK fwgpsxAAzrqP6CMcpNPeZrTRMH67GL6bcdlHUCDW8XYSilFU+h2H7DCzwtfp9lr7 Hrc+qm7sN2FHZ0E6Yo9xkfmMXj24xTH5+DNDPglZXaNDMp4ZjA9YAJrnkFS/qU1F ysVlsRgrAMg8oJkJyL75ysUHDcY47TETqJPX96cnJCmERlGkZOo3LdYhB9Ycp8VB tD8xt30erWg/+XK7RWSR3SEWsIzMuz/0biU53nkuAw0OUr7OS8FIgB+r9+P0JDAk wC1pO27M3xxGYbMbEteMORI4kK4gyIM86oc2eJmraR+ZwIsFvAV4jU07NNYkY1A2 c5i9j543hw6xvBnRlh3M4fLcVZ87KX3DuHkCYI2Ys/A1WnIMGlGCXQ83oHo5vMA4 Kh9k+4vaaMDdC7gSwidUuN5rSNzVfF6JdatIQPNgZ5UIPaqBl7zeiNuPjtHl5dbA nx106k0sBuXN4GQEz3QTD2mv/cicJW4uRnH0Az2WFFVKydTe77iiI5fPLgMkS1+g +69w5sDLd6wCmW6UdtFSqR5ARpfYJsv9Tyacmeioj7E7tLxhRLCP96Nbf6b8VYaD BbIaaFsjb3gwvKlOoK83LJuGV+7eBkM3UdKZwqRsiZ/p5Gi26raYYuDxw3WqJSgA +RBZVvOdsugykcRd7fJJnFfd1BygvX8dWlsBmqOqKzs+ZzS/zYE= =AuEF -----END PGP SIGNATURE----- --FCuugMFkClbJLl1L--