Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

xpdf: 4.00 -> 4.02 #68616

Merged
merged 2 commits into from Nov 22, 2019
Merged

xpdf: 4.00 -> 4.02 #68616

merged 2 commits into from Nov 22, 2019

Conversation

@sikmir
Copy link
Member

@sikmir sikmir commented Sep 12, 2019

Motivation for this change
CVE-2018-7173: fixed in 4.01 [JBIG2Stream.cc]
CVE-2018-7174: fixed in 4.01 [XRef.cc]
CVE-2018-7175: fixed in 4.01 [JPXStream.cc]
CVE-2018-7452: fixed in 4.01 [JPXStream.cc]
CVE-2018-7454: fixed in 4.01 [XFAForm.cc]
CVE-2018-16368: fixed in 4.01 [Splash.cc]
CVE-2018-18651: fixed in 4.01 [Catalog.cc]
...
  • knownVulnerabilities (will be fixed in 5.00)
CVE-2018-7453: loop in PDF objects
CVE-2018-16369: loop in PDF objects
CVE-2019-9587: loop in PDF objects; will be fixed in 5.00
CVE-2019-9588: loop in PDF objects; will be fixed in 5.00
CVE-2019-16088: loop in PDF objects; will be fixed in 5.00
  • Xpdf no longer uses t1lib (since 3.04)
  • Printing support is enabled by default
  • Add .desktop file
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
$ nix path-info -Sh /nix/store/r3ws1zl6iwg267n74sh5saxm1xcqqnsy-xpdf-4.00
/nix/store/r3ws1zl6iwg267n74sh5saxm1xcqqnsy-xpdf-4.00	 539.3M
$ nix path-info -Sh /nix/store/9bclywymaxygr2cwsqaqjna5f618qzd2-xpdf-4.02
/nix/store/9bclywymaxygr2cwsqaqjna5f618qzd2-xpdf-4.02	 277.6M
@sikmir sikmir force-pushed the sikmir:xpdf branch from 8fc5cd9 to d3f2519 Oct 16, 2019
@sikmir sikmir changed the title xpdf: 4.00 -> 4.01.01 xpdf: 4.00 -> 4.02 Oct 16, 2019
@sikmir
Copy link
Member Author

@sikmir sikmir commented Oct 16, 2019

Updated to 4.02

@jonringer
Copy link
Contributor

@jonringer jonringer commented Oct 16, 2019

is it still insecure after the update?

@sikmir
Copy link
Member Author

@sikmir sikmir commented Oct 16, 2019

Yes, 2 issues will be fixed in 5.00.

@sikmir
Copy link
Member Author

@sikmir sikmir commented Nov 12, 2019

@jonringer Why we can't update to 4.02? Not waiting for 5.00. Current version 4.00 has around 45 CVEs and no one mentioned in knownVulnerabilities, but 4.02 has only 5 CVE. That's much better.

@jonringer
Copy link
Contributor

@jonringer jonringer commented Nov 12, 2019

oh, i didn't mean to block, i was just curious

@jonringer
Copy link
Contributor

@jonringer jonringer commented Nov 12, 2019

The main thing for me is, that previous to this, i could install xpdf fine, after this, I have to opt into allowing known vulnerabilities to install the package. Which some power users may care about, but I think most people don't. @worldofpeace what do you think?

@worldofpeace
Copy link
Member

@worldofpeace worldofpeace commented Nov 12, 2019

@sikmir You're waiting on a 5.0 release that will have patches for those cve's, or is it that patches have been committed but they're not included in a release? If they're committed we could just apply those here.

Though looking at https://www.xpdfreader.com/download.html, I don't see a source repo.

The main thing for me is, that previous to this, i could install xpdf fine, after this, I have to opt into allowing known vulnerabilities to install the package. Which some power users may care about, but I think most people don't. @worldofpeace what do you think?

I think this change should be backported, but without permittedInsecurePackages it won't evaluate.
I do think we should use this meta attribute feature, but to be backported to stable we can't use it because it will fail to evaluate for current users. Hopefully before 20.03 there will be a release.

@sikmir Can you move the knownVulnerabilities to a separate commit? Otherwise LGTM.

I should investigate #68616 (comment) also.
#68616 (comment)

sikmir added 2 commits Sep 12, 2019
@sikmir sikmir force-pushed the sikmir:xpdf branch from d3f2519 to 747086b Nov 12, 2019
@sikmir
Copy link
Member Author

@sikmir sikmir commented Nov 12, 2019

@sikmir You're waiting on a 5.0 release that will have patches for those cve's, or is it that patches have been committed but they're not included in a release? If they're committed we could just apply those here.

I don't wait for 5.0, as far as I have no idea about when 5.0 is going out or when fixes will be done, I've just quoted official security fixes page.

@sikmir Can you move the knownVulnerabilities to a separate commit? Otherwise LGTM.

Done.

@risicle
Copy link
Contributor

@risicle risicle commented Nov 21, 2019

I think this is an improvement on the existing situation - what's the hold up?

@worldofpeace
Copy link
Member

@worldofpeace worldofpeace commented Nov 22, 2019

I think this is an improvement on the existing situation - what's the hold up?

Me forgetting to merge, thanks for the reminder 😄

@worldofpeace worldofpeace merged commit a5dba2f into NixOS:master Nov 22, 2019
15 checks passed
15 checks passed
xpdf on aarch64-linux No attempt
Details
xpdf on x86_64-linux No attempt
Details
Evaluation Performance Report Evaluator Performance Report
Details
grahamcofborg-eval ^.^!
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A darwin-tested
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release-combined.nix -A tested
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A manual
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./nixos/release.nix -A options
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A manual
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A tarball
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="ofborg"; } ./pkgs/top-level/release.nix -A unstable
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
@sikmir sikmir deleted the sikmir:xpdf branch Nov 22, 2019
@worldofpeace
Copy link
Member

@worldofpeace worldofpeace commented Nov 22, 2019

backported the update in 3dd7ed3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
You can’t perform that action at this time.