From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH] gnu: mupdf: Fix some security problems in bundled mujs. Date: Thu, 12 Jan 2017 15:03:46 -0500 Message-ID: <20170112200346.GA11411@jasmine> References: <20170112180655.1588-1-mbakke@fastmail.com> <20170112183017.GB23706@jasmine> <87wpe05adv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="/9DWx/yDrRhgMJTb" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:42443) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cRlbG-0007zB-S2 for guix-devel@gnu.org; Thu, 12 Jan 2017 15:03:55 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cRlbC-0007eX-UZ for guix-devel@gnu.org; Thu, 12 Jan 2017 15:03:54 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:53836) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cRlbC-0007eE-Od for guix-devel@gnu.org; Thu, 12 Jan 2017 15:03:50 -0500 Content-Disposition: inline In-Reply-To: <87wpe05adv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org --/9DWx/yDrRhgMJTb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 12, 2017 at 08:46:52PM +0100, Marius Bakke wrote: > Leo Famulari writes: >=20 > > Can you include links to the upstream bug reports in the patch files? >=20 > Good catch; added. >=20 > > Through cups, this requires ~600 rebuilds. I wonder if we can graft it? > > That is, is the ABI compatible? >=20 > Good question. The null pointer dereference patch renames a function, > and I can find it in /gnu/store/...-mupdf-1.10a/lib/libmupdfthird.a. So > I guess not. >=20 > There is also /lib/libmupdf.a which I assume most packages use, and does > not seem to use anything from mujs. >=20 > This package only provides static libraries, so grafting may not even > work. In most cases I've come across, the static library is embedded > with "ar" in the final package (cups do not retain a rerefence to > mupdf). What to do? If we can't graft it, we should build it on a branch on Hydra. Mark, what do you think? --/9DWx/yDrRhgMJTb Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlh34R4ACgkQJkb6MLrK fwgyGBAAiAx5RdgNAaL99MQh6R6DuuDnsVEOy+WgN6eW+c1luD0OlmKu1VnDM+8o LKDdQ0OarH236825ItIzmWWlOfPi5aChHpWTMeyMv55HYQZBvYP4J2gLN7ni+Coq 5vGMS+UxRogSdUFG6cFCZ3epU2tbZjewmqz6O624K3BFxEhGlgdtFsO8CTQOopah IeTSfFFQiqkKHOSr0heTVkNfvr5RwoPxfmq6qOGsOSwgOxESibpRj1CfnGxELukQ jY5UBTW3e3LtxooEhWJr/KvnFlJd2ms+ZOLxd+7ngp69LggULYyd9e/DnEGFhiLY njTHCew//L7c3v18Z9/rF7mrJisuoDGr/AG16wF2GkeTcdcvew2J2iKJyQeK2KB2 GtIS06DY6xT+cl3CBCJ00qrUMDrllI3dEISHjp6PgummB2ZL0cJkl8mLWOyL5fDJ VUaubVtqYFFcX0ZJ4aVvZoqwxeVYZcDnKidJNrj9XLCGFKuQ6dynyq/vrxdNY1Qg j4WJfS4CaKEtSaq4oMi8Xo586/s+pmG2fOH6xoP0HzwgqJ3nefXEO/4RY7bnRL1j LihmV76oNcvtT9u/yw92HMjig5z/wp051rEFUgIVDZzbwoUrYfkQMT5b+OS/6B0V JSMgLiMgtDkbQh/EXAP+j93hWp2UQc0WyPIR4/nRi3Mc5Ts13zo= =zWXm -----END PGP SIGNATURE----- --/9DWx/yDrRhgMJTb--