From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: Re: [PATCH] gnu: mupdf: Fix some security problems in bundled mujs.
Date: Thu, 12 Jan 2017 20:46:52 +0100
Message-ID: <87wpe05adv.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me>
References: <20170112180655.1588-1-mbakke@fastmail.com>
	<20170112183017.GB23706@jasmine>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:39263)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1cRlKu-00006S-AC
	for guix-devel@gnu.org; Thu, 12 Jan 2017 14:47:01 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1cRlKp-0001an-G5
	for guix-devel@gnu.org; Thu, 12 Jan 2017 14:47:00 -0500
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:48663)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <mbakke@fastmail.com>) id 1cRlKp-0001aa-Aa
	for guix-devel@gnu.org; Thu, 12 Jan 2017 14:46:55 -0500
In-Reply-To: <20170112183017.GB23706@jasmine>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain

Leo Famulari <leo@famulari.name> writes:

> Can you include links to the upstream bug reports in the patch files?

Good catch; added.

> Through cups, this requires ~600 rebuilds. I wonder if we can graft it?
> That is, is the ABI compatible?

Good question. The null pointer dereference patch renames a function,
and I can find it in /gnu/store/...-mupdf-1.10a/lib/libmupdfthird.a. So
I guess not.

There is also /lib/libmupdf.a which I assume most packages use, and does
not seem to use anything from mujs.

This package only provides static libraries, so grafting may not even
work. In most cases I've come across, the static library is embedded
with "ar" in the final package (cups do not retain a rerefence to
mupdf). What to do?

(as an aside, I wonder if we can add an "ar-wrapper" that creates thin
archives by default).

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlh33SwACgkQoqBt8qM6
VPqYrQf7BT8gGv/FPMidA6o8jRTqVy1XX8Rhs/w7Tqn5Ts2iarYLPa3Nmlfi9NxZ
TqRAJDpRCvZROPU3BGXx3/RVN/kVt0wf4X88w05M7l7ReaXiZZV8QNerrx9YPPtr
VibIdwRAko3UqbVMYCu0DWymQZ0H6fVEGII9Y5ypfy1/JYmXcRYEtFTIzBCedy/Q
txZtDF4yvsiSLndavUlRGcKRYUcPD0v8/8YIVD77v27MhkxbuIsL2Mmj4PqKyxYn
ewtjMXntL0YeC/006ZZ/kbKR7XED+xs7Rt3jDWElyL+w7YD0oOFWKPWtSu5w8nzj
eZ4YBu6otklJXXL22L4zMfYo7WjDVg==
=cxNK
-----END PGP SIGNATURE-----
--=-=-=--