unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* A "cosmetic changes" commit that removes security fixes
@ 2021-04-21 21:11 Mark H Weaver
  2021-04-21 21:24 ` Mark H Weaver
  2021-04-21 22:16 ` Leo Prikler
  0 siblings, 2 replies; 68+ messages in thread
From: Mark H Weaver @ 2021-04-21 21:11 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 566 bytes --]

Hello Guix,

Raghav Gururajan has pushed another misleading "cosmetic changes"
commit.  This one is *far* worse than the examples I gave before.
This one removes the security fixes for CVE-2018-19876 and
cairo-CVE-2020-35492 that I had applied in commit
bc16eacc99e801ac30cbe2aa649a2be3ca5c102a.

Behold, Raghav's "cosmetic changes" to our 'cairo' package:

  https://git.savannah.gnu.org/cgit/guix.git/commit/?h=wip-gnome&id=d975ed975456a2c8e855eb024b5487c4c460684a

With this in mind, does anyone else find it worrisome that Raghav has
commit access?

      Mark


[-- Attachment #2: Misleading "cosmetic changes" commit by Raghav Gururajan --]
[-- Type: text/x-patch, Size: 9525 bytes --]

From d975ed975456a2c8e855eb024b5487c4c460684a Mon Sep 17 00:00:00 2001
From: Raghav Gururajan <raghavgururajan@disroot.org>
Date: Fri, 4 Dec 2020 00:48:43 -0500
Subject: [PATCH] gnu: cairo: Make some cosmetic changes.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* gnu/packages/patches/cairo-CVE-2018-19876.patch,
gnu/packages/patches/cairo-CVE-2020-35492.patch: Remove patches.
* gnu/local.mk (dist_patch_DATA): Unregister them.
* gnu/packages/gtk.scm (cairo): Make some cosmetic changes.
[replacement]: Remove.
(cairo/fixed): Remove.

Signed-off-by: Léo Le Bouter <lle-bout@zaclys.net>
---
 gnu/local.mk                                  |  2 -
 gnu/packages/gtk.scm                          | 92 +++++++++----------
 .../patches/cairo-CVE-2018-19876.patch        | 37 --------
 .../patches/cairo-CVE-2020-35492.patch        | 49 ----------
 4 files changed, 41 insertions(+), 139 deletions(-)
 delete mode 100644 gnu/packages/patches/cairo-CVE-2018-19876.patch
 delete mode 100644 gnu/packages/patches/cairo-CVE-2020-35492.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index e01e7970d2..e93ce45f5a 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -877,8 +877,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/bpftrace-disable-bfd-disasm.patch	\
   %D%/packages/patches/busybox-CVE-2021-28831.patch		\
   %D%/packages/patches/byobu-writable-status.patch		\
-  %D%/packages/patches/cairo-CVE-2018-19876.patch		\
-  %D%/packages/patches/cairo-CVE-2020-35492.patch		\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
   %D%/packages/patches/calibre-remove-test-sqlite.patch		\
   %D%/packages/patches/calibre-remove-test-unrar.patch		\
diff --git a/gnu/packages/gtk.scm b/gnu/packages/gtk.scm
index 2699b97b49..ff0c1296e1 100644
--- a/gnu/packages/gtk.scm
+++ b/gnu/packages/gtk.scm
@@ -123,67 +123,57 @@ tools have full access to view and control running applications.")
 
 (define-public cairo
   (package
-   (name "cairo")
-   (version "1.16.0")
-   (replacement cairo/fixed)
-   (source (origin
-            (method url-fetch)
-            (uri (string-append "https://cairographics.org/releases/cairo-"
-                                version ".tar.xz"))
-            (sha256
-             (base32
-              "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy"))))
-   (build-system gnu-build-system)
-   (propagated-inputs
-    `(("fontconfig" ,fontconfig)
-      ("freetype" ,freetype)
-      ("glib" ,glib)
-      ("libpng" ,libpng)
-      ("libx11" ,libx11)
-      ("libxext" ,libxext)
-      ("libxrender" ,libxrender)
-      ("pixman" ,pixman)))
-   (inputs
-    `(("ghostscript" ,ghostscript)
-      ("libspectre" ,libspectre)
-      ("poppler" ,poppler)
-      ("xorgproto" ,xorgproto)
-      ("zlib" ,zlib)))
-   (native-inputs
-     `(("pkg-config" ,pkg-config)
-      ("python" ,python-wrapper)))
+    (name "cairo")
+    (version "1.16.0")
+    (source
+     (origin
+       (method url-fetch)
+       (uri
+        (string-append "https://cairographics.org/releases/cairo-"
+                       version ".tar.xz"))
+       (sha256
+        (base32 "0c930mk5xr2bshbdljv005j3j8zr47gqmkry3q6qgvqky6rjjysy"))))
+    (build-system gnu-build-system)
     (arguments
-     `(#:tests? #f  ; see http://lists.gnu.org/archive/html/bug-guix/2013-06/msg00085.html
-       #:configure-flags '("--enable-tee"      ;needed for GNU Icecat
-                           "--enable-xml"      ;for cairo-xml support
-                           "--disable-static")))
-   (synopsis "2D graphics library")
-   (description
-    "Cairo is a 2D graphics library with support for multiple output devices.
-Currently supported output targets include the X Window System (via both
-Xlib and XCB), Quartz, Win32, image buffers, PostScript, PDF, and SVG file
+     `(#:tests? #f ; see http://lists.gnu.org/archive/html/bug-guix/2013-06/msg00085.html
+       #:configure-flags
+       (list
+        "--enable-tee"                    ;needed for GNU Icecat
+        "--enable-xml"                    ;for cairo-xml support
+        "--disable-static")))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)
+       ("python" ,python-wrapper)))
+    (inputs
+     `(("ghostscript" ,ghostscript)
+       ("libspectre" ,libspectre)
+       ("poppler" ,poppler)
+       ("xorgproto" ,xorgproto)
+       ("zlib" ,zlib)))
+    (propagated-inputs
+     `(("fontconfig" ,fontconfig)
+       ("freetype" ,freetype)
+       ("glib" ,glib)
+       ("libpng" ,libpng)
+       ("libx11" ,libx11)
+       ("libxext" ,libxext)
+       ("libxrender" ,libxrender)
+       ("pixman" ,pixman)))
+    (synopsis "2D graphics library")
+    (description "Cairo is a 2D graphics library with support for multiple output
+devices.  Currently supported output targets include the X Window System (via
+both Xlib and XCB), Quartz, Win32, image buffers, PostScript, PDF, and SVG file
 output.  Experimental backends include OpenGL, BeOS, OS/2, and DirectFB.
-
 Cairo is designed to produce consistent output on all output media while
 taking advantage of display hardware acceleration when available
 eg. through the X Render Extension).
-
 The cairo API provides operations similar to the drawing operators of
 PostScript and PDF.  Operations in cairo including stroking and filling cubic
 Bézier splines, transforming and compositing translucent images, and
 antialiased text rendering.  All drawing operations can be transformed by any
 affine transformation (scale, rotation, shear, etc.).")
-   (license license:lgpl2.1) ; or Mozilla Public License 1.1
-   (home-page "https://cairographics.org/")))
-
-(define cairo/fixed
-  (package
-    (inherit cairo)
-    (source (origin
-              (inherit (package-source cairo))
-              (patches (append (search-patches "cairo-CVE-2018-19876.patch"
-                                               "cairo-CVE-2020-35492.patch")
-                               (origin-patches (package-source cairo))))))))
+    (home-page "https://cairographics.org/")
+    (license license:lgpl2.1))) ; or Mozilla Public License 1.1
 
 (define-public cairo-sans-poppler
   ;; Variant used to break the dependency cycle between Poppler and Cairo.
diff --git a/gnu/packages/patches/cairo-CVE-2018-19876.patch b/gnu/packages/patches/cairo-CVE-2018-19876.patch
deleted file mode 100644
index c0fba2ecaa..0000000000
--- a/gnu/packages/patches/cairo-CVE-2018-19876.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Copied from Debian.
-
-From: Carlos Garcia Campos <cgarcia@igalia.com>
-Date: Mon, 19 Nov 2018 12:33:07 +0100
-Subject: ft: Use FT_Done_MM_Var instead of free when available in
- cairo_ft_apply_variations
-
-Fixes a crash when using freetype >= 2.9
-
-[This is considered to be security-sensitive because WebKitGTK+ sets its
-own memory allocator, which is not compatible with system free(), making
-this a remotely triggerable denial of service or memory corruption.]
-
-Origin: upstream, commit:90e85c2493fdfa3551f202ff10282463f1e36645
-Bug: https://gitlab.freedesktop.org/cairo/cairo/merge_requests/5
-Bug-Debian: https://bugs.debian.org/916389
-Bug-CVE: CVE-2018-19876
----
- src/cairo-ft-font.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/cairo-ft-font.c b/src/cairo-ft-font.c
-index 325dd61..981973f 100644
---- a/src/cairo-ft-font.c
-+++ b/src/cairo-ft-font.c
-@@ -2393,7 +2393,11 @@ skip:
- done:
-         free (coords);
-         free (current_coords);
-+#if HAVE_FT_DONE_MM_VAR
-+        FT_Done_MM_Var (face->glyph->library, ft_mm_var);
-+#else
-         free (ft_mm_var);
-+#endif
-     }
- }
- 
diff --git a/gnu/packages/patches/cairo-CVE-2020-35492.patch b/gnu/packages/patches/cairo-CVE-2020-35492.patch
deleted file mode 100644
index e8b90fa5c5..0000000000
--- a/gnu/packages/patches/cairo-CVE-2020-35492.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Copied from Debian.
-
-From 03a820b173ed1fdef6ff14b4468f5dbc02ff59be Mon Sep 17 00:00:00 2001
-From: Heiko Lewin <heiko.lewin@worldiety.de>
-Date: Tue, 15 Dec 2020 16:48:19 +0100
-Subject: [PATCH] Fix mask usage in image-compositor
-
-[trimmed test case, since not used in Debian build]
-
----
- src/cairo-image-compositor.c                |   8 ++--
-
---- cairo-1.16.0.orig/src/cairo-image-compositor.c
-+++ cairo-1.16.0/src/cairo-image-compositor.c
-@@ -2601,14 +2601,14 @@ _inplace_src_spans (void *abstract_rende
- 		    unsigned num_spans)
- {
-     cairo_image_span_renderer_t *r = abstract_renderer;
--    uint8_t *m;
-+    uint8_t *m, *base = (uint8_t*)pixman_image_get_data(r->mask);
-     int x0;
- 
-     if (num_spans == 0)
- 	return CAIRO_STATUS_SUCCESS;
- 
-     x0 = spans[0].x;
--    m = r->_buf;
-+    m = base;
-     do {
- 	int len = spans[1].x - spans[0].x;
- 	if (len >= r->u.composite.run_length && spans[0].coverage == 0xff) {
-@@ -2646,7 +2646,7 @@ _inplace_src_spans (void *abstract_rende
- 				      spans[0].x, y,
- 				      spans[1].x - spans[0].x, h);
- 
--	    m = r->_buf;
-+	    m = base;
- 	    x0 = spans[1].x;
- 	} else if (spans[0].coverage == 0x0) {
- 	    if (spans[0].x != x0) {
-@@ -2675,7 +2675,7 @@ _inplace_src_spans (void *abstract_rende
- #endif
- 	    }
- 
--	    m = r->_buf;
-+	    m = base;
- 	    x0 = spans[1].x;
- 	} else {
- 	    *m++ = spans[0].coverage;
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 68+ messages in thread
* Re: A "cosmetic changes" commit that removes security fixes
@ 2021-04-22  0:58 Raghav Gururajan
  2021-04-22  2:41 ` Mark H Weaver
  0 siblings, 1 reply; 68+ messages in thread
From: Raghav Gururajan @ 2021-04-22  0:58 UTC (permalink / raw)
  To: Guix Devel
  Cc: mhw, Tobias Geerinckx-Rice, Leo Prikler, Leo Famulari,
	Léo Le Bouter


[-- Attachment #1.1: Type: text/plain, Size: 1758 bytes --]

Hi Mark!

> Raghav Gururajan has pushed another misleading "cosmetic changes"
> commit.

When you brought-up the concern 
(https://lists.gnu.org/archive/html/guix-devel/2020-12/msg00008.html), 
which I am grateful for, I have worked myself to prevent that from 
happening. It was so hard for me provided that I suffer from OCD 
(clinically-diagnosed and being treated for). I never made single "Make 
cosmetic changes" patches after that discussion. These two patches you 
are referring to, was made even before our discussion, as a part of 
wip-desktop work. The patches were pushed to core-updates as a part of 
#42958. Also, during review, I clearly stated about these two cosmetic 
changes patches, in this message (https://issues.guix.gnu.org/42958#64).

> This one is *far* worse than the examples I gave before.
> This one removes the security fixes for CVE-2018-19876 and
> cairo-CVE-2020-35492 that I had applied in commit
> bc16eacc99e801ac30cbe2aa649a2be3ca5c102a.

The commit is not new. I cherry-picked from core-updates 
(993de472ed3dfe90e1c4110b6b910c1f74d243ff), which was pushed as a part 
of #42958.

> Behold, Raghav's "cosmetic changes" to our 'cairo' package:
The commit is also not new. I cherry-picked from core-updates 
(f94cdc86f644984ca83164d40b17e7eed6e22091), which was pushed as a part 
of #42958.

NOTE:
When I format-patched these patches, initially (42958), did not contain 
changes to remove CVE. IIRC, when Leo and I were working outside of 
savannah, this change was probably added when we updated glib to latest 
version.

> With this in mind, does anyone else find it worrisome that Raghav has
> commit access?

I wish you had given me the benefit of the doubt.

Regards,
RG.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

^ permalink raw reply	[flat|nested] 68+ messages in thread

end of thread, other threads:[~2021-05-06 17:25 UTC | newest]

Thread overview: 68+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-21 21:11 A "cosmetic changes" commit that removes security fixes Mark H Weaver
2021-04-21 21:24 ` Mark H Weaver
2021-04-21 22:22   ` Tobias Geerinckx-Rice
2021-04-21 23:45   ` Raghav Gururajan
2021-04-21 22:16 ` Leo Prikler
2021-04-21 22:52   ` Leo Famulari
  -- strict thread matches above, loose matches on Subject: below --
2021-04-22  0:58 Raghav Gururajan
2021-04-22  2:41 ` Mark H Weaver
2021-04-22  3:17   ` Raghav Gururajan
2021-04-22  4:05     ` Raghav Gururajan
2021-04-22  4:33       ` Mark H Weaver
2021-04-22  5:02         ` Raghav Gururajan
2021-04-22 17:21       ` Mark H Weaver
2021-04-22 21:49         ` Raghav Gururajan
2021-04-24  8:09           ` Mark H Weaver
2021-04-30  0:58             ` aviva
2021-04-22 18:37       ` Leo Famulari
2021-04-22 18:48         ` Mark H Weaver
2021-04-22 21:50         ` Raghav Gururajan
2021-04-22  4:08     ` Mark H Weaver
2021-04-22 11:39       ` 宋文武
2021-04-22 13:28         ` Mark H Weaver
2021-04-22 20:01       ` Léo Le Bouter
2021-04-22 21:08         ` Christopher Baines
2021-04-22 21:09         ` Leo Prikler
2021-04-22 21:21         ` Mark H Weaver
2021-04-23 17:52           ` Maxim Cournoyer
2021-04-23 18:00             ` Raghav Gururajan
2021-04-23 18:38               ` Maxim Cournoyer
2021-04-23 22:06                 ` Raghav Gururajan
2021-04-23 18:50             ` Léo Le Bouter
2021-04-23 19:15               ` Leo Prikler
2021-04-23 19:18               ` Leo Famulari
2021-04-23 19:33                 ` Léo Le Bouter
2021-04-23 20:12                   ` Leo Famulari
2021-04-26 17:06                     ` Giovanni Biscuolo
2021-04-26 17:32                       ` Leo Famulari
2021-04-26 21:56                         ` Giovanni Biscuolo
2021-04-26 23:01                           ` Leo Famulari
2021-04-24  7:46                   ` Mark H Weaver
2021-04-26 14:59                     ` Léo Le Bouter
2021-04-26 15:23                       ` Tobias Geerinckx-Rice
2021-04-26 17:21                         ` Ludovic Courtès
2021-04-26 20:07                           ` Pjotr Prins
2021-04-26 17:46                         ` Léo Le Bouter
2021-04-28 15:52                           ` Marius Bakke
2021-04-29  9:13                             ` Léo Le Bouter
2021-04-29 11:46                               ` Leo Prikler
2021-04-29 11:57                                 ` Léo Le Bouter
2021-04-29 11:41                             ` Arun Isaac
2021-04-29 12:44                               ` Pierre Neidhardt
2021-04-29 14:14                                 ` Pjotr Prins
2021-04-30 17:40                                   ` Pierre Neidhardt
2021-04-30 19:56                                     ` Pjotr Prins
2021-05-01  7:23                                       ` Arun Isaac
2021-05-01 12:40                                         ` Pjotr Prins
2021-05-01  9:15                                       ` Pierre Neidhardt
2021-05-01 10:18                                         ` Yasuaki Kudo
2021-05-03  7:18                                           ` Pierre Neidhardt
2021-05-01 14:50                                     ` Giovanni Biscuolo
2021-05-03  7:25                                       ` Pierre Neidhardt
2021-05-04  2:18                                         ` Bengt Richter
2021-05-04  6:55                                           ` Pierre Neidhardt
2021-05-04 15:43                                             ` Ludovic Courtès
2021-05-06 17:18                                               ` Pierre Neidhardt
2021-04-29 16:21                               ` Arun Isaac
2021-04-26 19:31                 ` Léo Le Bouter
2021-04-27 18:10                   ` Andreas Enge

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).