From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: [PATCH] gnu: mupdf: Fix some security problems in bundled mujs. Date: Sun, 15 Jan 2017 18:05:02 -0500 Message-ID: <8737gjkjq9.fsf@netris.org> References: <20170112180655.1588-1-mbakke@fastmail.com> <20170112183017.GB23706@jasmine> <87wpe05adv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170112200346.GA11411@jasmine> <87shonai6b.fsf@netris.org> <20170115184717.GA29718@jasmine> <87lgucxhwz.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170115204922.GB4522@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49420) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cStrU-0003fA-VD for guix-devel@gnu.org; Sun, 15 Jan 2017 18:05:21 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cStrR-0000zd-J5 for guix-devel@gnu.org; Sun, 15 Jan 2017 18:05:20 -0500 Received: from world.peace.net ([50.252.239.5]:46830) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cStrR-0000zU-EY for guix-devel@gnu.org; Sun, 15 Jan 2017 18:05:17 -0500 In-Reply-To: <20170115204922.GB4522@jasmine> (Leo Famulari's message of "Sun, 15 Jan 2017 15:49:22 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Hi Leo, Leo Famulari writes: > From 34cc0dc9d9451d540f8733ebca2a3db54a073aa0 Mon Sep 17 00:00:00 2001 > From: Marius Bakke > Date: Thu, 12 Jan 2017 19:06:55 +0100 > Subject: [PATCH 1/2] gnu: mupdf: Fix CVE-2016-{10132,10133} in bundled mu= js. > > * gnu/packages/patches/mupdf-mujs-CVE-2016-10132.patch, > gnu/packages/patches/mupdf-mujs-CVE-2016-10133.patch: New files. > * gnu/local.mk (dist_patch_DATA): Add them. > * gnu/packages/pdf.scm (mupdf)[replacement]: New field. We should indeed add a 'replacement' field to 'mupdf', but that part of the patch seems to have gotten lost: > diff --git a/gnu/packages/pdf.scm b/gnu/packages/pdf.scm > index 9b3571e67..5efc5e6d1 100644 > --- a/gnu/packages/pdf.scm > +++ b/gnu/packages/pdf.scm > @@ -6,10 +6,11 @@ > ;;; Copyright =C2=A9 2016 Roel Janssen > ;;; Coypright =C2=A9 2016 ng0 > ;;; Coypright =C2=A9 2016 Efraim Flashner > -;;; Coypright =C2=A9 2016 Marius Bakke > +;;; Coypright =C2=A9 2016, 2017 Marius Bakke > ;;; Coypright =C2=A9 2016 Ludovic Court=C3=A8s > ;;; Coypright =C2=A9 2016 Julien Lepiller > ;;; Copyright =C2=A9 2016 Arun Isaac > +;;; Copyright =C2=A9 2017 Leo Famulari > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -538,6 +539,18 @@ line tools for batch rendering (pdfdraw), rewriting = files (pdfclean), > and examining the file structure (pdfshow).") > (license license:agpl3+))) >=20=20 > +(define mupdf/fixed > + (package > + (inherit mupdf) > + (source > + (origin > + (inherit (package-source mupdf)) > + (patches > + (append > + (origin-patches (package-source mupdf)) > + (search-patches "mupdf-mujs-CVE-2016-10132.patch" > + "mupdf-mujs-CVE-2016-10133.patch"))))))) > + > (define-public qpdf > (package > (name "qpdf") Also, you should probably add a "Co-authored-by:" header in the commit log for yourself :) Otherwise it looks good to me. Thanks to both of you for working on it! Mark