From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: [PATCH] gnu: mupdf: Fix some security problems in bundled mujs. Date: Thu, 12 Jan 2017 20:46:52 +0100 Message-ID: <87wpe05adv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> References: <20170112180655.1588-1-mbakke@fastmail.com> <20170112183017.GB23706@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39263) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cRlKu-00006S-AC for guix-devel@gnu.org; Thu, 12 Jan 2017 14:47:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cRlKp-0001an-G5 for guix-devel@gnu.org; Thu, 12 Jan 2017 14:47:00 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:48663) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cRlKp-0001aa-Aa for guix-devel@gnu.org; Thu, 12 Jan 2017 14:46:55 -0500 In-Reply-To: <20170112183017.GB23706@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Leo Famulari writes: > Can you include links to the upstream bug reports in the patch files? Good catch; added. > Through cups, this requires ~600 rebuilds. I wonder if we can graft it? > That is, is the ABI compatible? Good question. The null pointer dereference patch renames a function, and I can find it in /gnu/store/...-mupdf-1.10a/lib/libmupdfthird.a. So I guess not. There is also /lib/libmupdf.a which I assume most packages use, and does not seem to use anything from mujs. This package only provides static libraries, so grafting may not even work. In most cases I've come across, the static library is embedded with "ar" in the final package (cups do not retain a rerefence to mupdf). What to do? (as an aside, I wonder if we can add an "ar-wrapper" that creates thin archives by default). --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlh33SwACgkQoqBt8qM6 VPqYrQf7BT8gGv/FPMidA6o8jRTqVy1XX8Rhs/w7Tqn5Ts2iarYLPa3Nmlfi9NxZ TqRAJDpRCvZROPU3BGXx3/RVN/kVt0wf4X88w05M7l7ReaXiZZV8QNerrx9YPPtr VibIdwRAko3UqbVMYCu0DWymQZ0H6fVEGII9Y5ypfy1/JYmXcRYEtFTIzBCedy/Q txZtDF4yvsiSLndavUlRGcKRYUcPD0v8/8YIVD77v27MhkxbuIsL2Mmj4PqKyxYn ewtjMXntL0YeC/006ZZ/kbKR7XED+xs7Rt3jDWElyL+w7YD0oOFWKPWtSu5w8nzj eZ4YBu6otklJXXL22L4zMfYo7WjDVg== =cxNK -----END PGP SIGNATURE----- --=-=-=--