From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id sEnbFomVgGBVZwAAgWs5BA (envelope-from ) for ; Wed, 21 Apr 2021 23:13:45 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id YNl8EomVgGDFRgAA1q6Kng (envelope-from ) for ; Wed, 21 Apr 2021 21:13:45 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 7F2192020E for ; Wed, 21 Apr 2021 23:13:44 +0200 (CEST) Received: from localhost ([::1]:41386 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lZKAI-000303-LE for larch@yhetil.org; Wed, 21 Apr 2021 17:13:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36744) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZK9c-0002n9-8s for guix-devel@gnu.org; Wed, 21 Apr 2021 17:13:00 -0400 Received: from world.peace.net ([64.112.178.59]:35672) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lZK9W-00025q-Tb for guix-devel@gnu.org; Wed, 21 Apr 2021 17:13:00 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lZK9T-0006Sn-4L; Wed, 21 Apr 2021 17:12:51 -0400 From: Mark H Weaver To: guix-devel@gnu.org Subject: A "cosmetic changes" commit that removes security fixes Date: Wed, 21 Apr 2021 17:11:03 -0400 Message-ID: <877dkv2vi5.fsf@netris.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=64.112.178.59; envelope-from=mhw@netris.org; helo=world.peace.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619039625; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=oTAnOPupsPyzn0tQ6EiRJBlfcKrrEQvfPDtMEHPEaY0=; b=KViNPu9e9gWtsttKGNzOVUBls0/kKbR5YTFAEB9/CHRkw+U1hZAbeE3l7LXhckDcjhmAvY 9Vq7h6sSgiPnElYJ+Hamjd41DEZQB8r74cqx7Dn5qSC5KeOQab6LheQEECtErqr8gxJgNX 7IWGYS+WA/fmYoDFjVofG1K6c+exbhKTbYVsmHCenClP0Jj0YSJL2y4qEb8heRn5sFxDT6 0t42OVLk6chi9eXvD/WTn4Vej2sIm4xNw+O3muW0usuOi7ptskuntTZasQdSza4MCn85h+ ykz6HIxHRiguBRJTPdtt9wKc6EHZIBqHNxahUTcZc7clQlQWNpBe2RQB1F3PYg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619039625; a=rsa-sha256; cv=none; b=U13VRyAaiDkFO+t+f0ZrYtFqEShI1waAp1XgWNHX1REi6IUkyF7DQK0hBaH3uzGnNdBAPu PI6Sddel8UR6ujSpoJUKvaf/SEIYbBm9UgxdoN6wW6HVBTiyRif1xhdAGZaWxW8I4izSIS /LZ5oeoMgwQGuAN2pfnmRybtIcXQaFzFsqA9/cXXvAnXJVhzKFbIxiKYldqRIswXHsChY4 T+aAxunWTwWy2a32LSpYo6w0rVS5HY+EOMbQicodSZ677lulN+QelAORpCAPh2aw9rRnml eDrh3f2bymddiv+DMrn3xPC8lyduA43NADTzCcbesi+z4zw0gKbn3gz2/vMHIw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -2.44 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 7F2192020E X-Spam-Score: -2.44 X-Migadu-Scanner: scn0.migadu.com X-TUID: J9arGX1zv8Q6 --=-=-= Content-Type: text/plain Hello Guix, Raghav Gururajan has pushed another misleading "cosmetic changes" commit. This one is *far* worse than the examples I gave before. This one removes the security fixes for CVE-2018-19876 and cairo-CVE-2020-35492 that I had applied in commit bc16eacc99e801ac30cbe2aa649a2be3ca5c102a. Behold, Raghav's "cosmetic changes" to our 'cairo' package: https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-gnome&id=d975ed975456a2c8e855eb024b5487c4c460684a With this in mind, does anyone else find it worrisome that Raghav has commit access? Mark --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-gnu-cairo-Make-some-cosmetic-changes.patch Content-Transfer-Encoding: quoted-printable Content-Description: Misleading "cosmetic changes" commit by Raghav Gururajan >From d975ed975456a2c8e855eb024b5487c4c460684a Mon Sep 17 00:00:00 2001 From: Raghav Gururajan Date: Fri, 4 Dec 2020 00:48:43 -0500 Subject: [PATCH] gnu: cairo: Make some cosmetic changes. MIME-Version: 1.0 Content-Type: text/plain; charset=3DUTF-8 Content-Transfer-Encoding: 8bit * gnu/packages/patches/cairo-CVE-2018-19876.patch, gnu/packages/patches/cairo-CVE-2020-35492.patch: Remove patches. * gnu/local.mk (dist_patch_DATA): Unregister them. * gnu/packages/gtk.scm (cairo): Make some cosmetic changes. [replacement]: Remove. (cairo/fixed): Remove. Signed-off-by: L=C3=A9o Le Bouter --- gnu/local.mk | 2 - gnu/packages/gtk.scm | 92 +++++++++---------- .../patches/cairo-CVE-2018-19876.patch | 37 -------- .../patches/cairo-CVE-2020-35492.patch | 49 ---------- 4 files changed, 41 insertions(+), 139 deletions(-) delete mode 100644 gnu/packages/patches/cairo-CVE-2018-19876.patch delete mode 100644 gnu/packages/patches/cairo-CVE-2020-35492.patch diff --git a/gnu/local.mk b/gnu/local.mk index e01e7970d2..e93ce45f5a 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -877,8 +877,6 @@ dist_patch_DATA =3D \ %D%/packages/patches/bpftrace-disable-bfd-disasm.patch \ %D%/packages/patches/busybox-CVE-2021-28831.patch \ %D%/packages/patches/byobu-writable-status.patch \ - %D%/packages/patches/cairo-CVE-2018-19876.patch \ - %D%/packages/patches/cairo-CVE-2020-35492.patch \ %D%/packages/patches/calibre-no-updates-dialog.patch \ %D%/packages/patches/calibre-remove-test-sqlite.patch \ %D%/packages/patches/calibre-remove-test-unrar.patch \ diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm index 2699b97b49..ff0c1296e1 100644 --- a/gnu/packages/gtk.scm +++ b/gnu/packages/gtk.scm @@ -123,67 +123,57 @@ tools have full access to view and control running ap= plications.") =20 (define-public cairo (package - (name "cairo") - (version "1.16.0") - (replacement cairo/fixed) - (source (origin - (method url-fetch) - (uri (string-append "https://cairographics.org/releases/cairo-" - version ".tar.xz")) - (sha256 - (base32 - "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy")))) - (build-system gnu-build-system) - (propagated-inputs - `(("fontconfig" ,fontconfig) - ("freetype" ,freetype) - ("glib" ,glib) - ("libpng" ,libpng) - ("libx11" ,libx11) - ("libxext" ,libxext) - ("libxrender" ,libxrender) - ("pixman" ,pixman))) - (inputs - `(("ghostscript" ,ghostscript) - ("libspectre" ,libspectre) - ("poppler" ,poppler) - ("xorgproto" ,xorgproto) - ("zlib" ,zlib))) - (native-inputs - `(("pkg-config" ,pkg-config) - ("python" ,python-wrapper))) + (name "cairo") + (version "1.16.0") + (source + (origin + (method url-fetch) + (uri + (string-append "https://cairographics.org/releases/cairo-" + version ".tar.xz")) + (sha256 + (base32 "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy")))) + (build-system gnu-build-system) (arguments - `(#:tests? #f ; see http://lists.gnu.org/archive/html/bug-guix/2013-= 06/msg00085.html - #:configure-flags '("--enable-tee" ;needed for GNU Icecat - "--enable-xml" ;for cairo-xml support - "--disable-static"))) - (synopsis "2D graphics library") - (description - "Cairo is a 2D graphics library with support for multiple output devic= es. -Currently supported output targets include the X Window System (via both -Xlib and XCB), Quartz, Win32, image buffers, PostScript, PDF, and SVG file + `(#:tests? #f ; see http://lists.gnu.org/archive/html/bug-guix/2013-0= 6/msg00085.html + #:configure-flags + (list + "--enable-tee" ;needed for GNU Icecat + "--enable-xml" ;for cairo-xml support + "--disable-static"))) + (native-inputs + `(("pkg-config" ,pkg-config) + ("python" ,python-wrapper))) + (inputs + `(("ghostscript" ,ghostscript) + ("libspectre" ,libspectre) + ("poppler" ,poppler) + ("xorgproto" ,xorgproto) + ("zlib" ,zlib))) + (propagated-inputs + `(("fontconfig" ,fontconfig) + ("freetype" ,freetype) + ("glib" ,glib) + ("libpng" ,libpng) + ("libx11" ,libx11) + ("libxext" ,libxext) + ("libxrender" ,libxrender) + ("pixman" ,pixman))) + (synopsis "2D graphics library") + (description "Cairo is a 2D graphics library with support for multiple= output +devices. Currently supported output targets include the X Window System (= via +both Xlib and XCB), Quartz, Win32, image buffers, PostScript, PDF, and SVG= file output. Experimental backends include OpenGL, BeOS, OS/2, and DirectFB. - Cairo is designed to produce consistent output on all output media while taking advantage of display hardware acceleration when available eg. through the X Render Extension). - The cairo API provides operations similar to the drawing operators of PostScript and PDF. Operations in cairo including stroking and filling cu= bic B=C3=A9zier splines, transforming and compositing translucent images, and antialiased text rendering. All drawing operations can be transformed by = any affine transformation (scale, rotation, shear, etc.).") - (license license:lgpl2.1) ; or Mozilla Public License 1.1 - (home-page "https://cairographics.org/"))) - -(define cairo/fixed - (package - (inherit cairo) - (source (origin - (inherit (package-source cairo)) - (patches (append (search-patches "cairo-CVE-2018-19876.patch" - "cairo-CVE-2020-35492.patch= ") - (origin-patches (package-source cairo))))))= )) + (home-page "https://cairographics.org/") + (license license:lgpl2.1))) ; or Mozilla Public License 1.1 =20 (define-public cairo-sans-poppler ;; Variant used to break the dependency cycle between Poppler and Cairo. diff --git a/gnu/packages/patches/cairo-CVE-2018-19876.patch b/gnu/packages= /patches/cairo-CVE-2018-19876.patch deleted file mode 100644 index c0fba2ecaa..0000000000 --- a/gnu/packages/patches/cairo-CVE-2018-19876.patch +++ /dev/null @@ -1,37 +0,0 @@ -Copied from Debian. - -From: Carlos Garcia Campos -Date: Mon, 19 Nov 2018 12:33:07 +0100 -Subject: ft: Use FT_Done_MM_Var instead of free when available in - cairo_ft_apply_variations - -Fixes a crash when using freetype >=3D 2.9 - -[This is considered to be security-sensitive because WebKitGTK+ sets its -own memory allocator, which is not compatible with system free(), making -this a remotely triggerable denial of service or memory corruption.] - -Origin: upstream, commit:90e85c2493fdfa3551f202ff10282463f1e36645 -Bug: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5 -Bug-Debian: https://bugs.debian.org/916389 -Bug-CVE: CVE-2018-19876 ---- - src/cairo-ft-font.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c -index 325dd61..981973f 100644 ---- a/src/cairo-ft-font.c -+++ b/src/cairo-ft-font.c -@@ -2393,7 +2393,11 @@ skip: - done: - free (coords); - free (current_coords); -+#if HAVE_FT_DONE_MM_VAR -+ FT_Done_MM_Var (face->glyph->library, ft_mm_var); -+#else - free (ft_mm_var); -+#endif - } - } -=20 diff --git a/gnu/packages/patches/cairo-CVE-2020-35492.patch b/gnu/packages= /patches/cairo-CVE-2020-35492.patch deleted file mode 100644 index e8b90fa5c5..0000000000 --- a/gnu/packages/patches/cairo-CVE-2020-35492.patch +++ /dev/null @@ -1,49 +0,0 @@ -Copied from Debian. - -From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001 -From: Heiko Lewin -Date: Tue, 15 Dec 2020 16:48:19 +0100 -Subject: [PATCH] Fix mask usage in image-compositor - -[trimmed test case, since not used in Debian build] - ---- - src/cairo-image-compositor.c | 8 ++-- - ---- cairo-1.16.0.orig/src/cairo-image-compositor.c -+++ cairo-1.16.0/src/cairo-image-compositor.c -@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_rende - unsigned num_spans) - { - cairo_image_span_renderer_t *r =3D abstract_renderer; -- uint8_t *m; -+ uint8_t *m, *base =3D (uint8_t*)pixman_image_get_data(r->mask); - int x0; -=20 - if (num_spans =3D=3D 0) - return CAIRO_STATUS_SUCCESS; -=20 - x0 =3D spans[0].x; -- m =3D r->_buf; -+ m =3D base; - do { - int len =3D spans[1].x - spans[0].x; - if (len >=3D r->u.composite.run_length && spans[0].coverage =3D=3D 0xff)= { -@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_rende - spans[0].x, y, - spans[1].x - spans[0].x, h); -=20 -- m =3D r->_buf; -+ m =3D base; - x0 =3D spans[1].x; - } else if (spans[0].coverage =3D=3D 0x0) { - if (spans[0].x !=3D x0) { -@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_rende - #endif - } -=20 -- m =3D r->_buf; -+ m =3D base; - x0 =3D spans[1].x; - } else { - *m++ =3D spans[0].coverage; --=20 2.31.1 --=-=-=--