Vulnerability roundup 84: fontconfig-2.10.2: 1 advisory

[ckauhaus]

search, files

• CVE-2016-5384 CVSSv3=7.8 (nixos-20.03)

Scanned versions: nixos-20.03: 82b5f87. May contain false positives.

[ckauhaus]

See also: #73630

[flokli]

PR for unstable: #92919
PR for 20.03: #92921

[flokli]

This is still an issue.

[ckauhaus]

oops, sorry

[jtojnar]

We only use config files. We could probably just delete everything but /etc from the derivation, or remove it from top-level.

[flokli]

Yeah, but we still ship the fontconfig binary in nixpkgs. Is there any reason we still need to provide config files parse-able by 2.10.x fontconfig implementations?

[jtojnar]

I doubt there is much of a reason these days, nobody will be running programs compiled against fontconfig 2.10. I just do not want to remove it now so that possible breakage caused by #73795 is not mixed with potential downfall from removing the unversioned path.

[flokli]

#93562 is a new attempt to address this.